BUUCTF WEB easy_tornado
To get the title, open the discovery of three files:
each View:
access to information that tornado is a python framework of ,,,
a few days ago just to do a good framework for learning the python django of a ,,,
the render seems to be a rendering function ,, ,,
saw the hints.txt that, we need to know what cookie_secret file can be read ,,,
and apparently url bit special! ! ! File read ,,,, try? Filename = / fllllllllllllag found incorrect report ,,,
looked beyond the url parameter display and page display the same ,,, ,,,, python framework
may use the template, try python template injection ,,, ,,,, seemingly can
be done not how templates injected topic ah! ! ! !
Access to information to understand template injection ,,,, SSTI template injection
or can not be trusted by the user the user can not control ah ,,, ,,,, ,,,, but it seems quite hard
behind the tornado access to relevant information, understand that there is a similar environment variable something handler.settings ,,,, ,,,
Tornado small note - the template Handler
Gets handler.settings environment variables:
get cookie_secret, easy to handle, scripting:
import hashlib
def Md5(x):
md5 = hashlib.md5(str(x).encode("utf8")).hexdigest()
return md5
print(Md5("de539c46-345b-4025-8fc4-bf0388d35f1a"+Md5("/fllllllllllllag")))
Get flag:
I do not know this tornado of handler.settings really could not do this ,,,
Web scope was too wide right ,,,,,