easy tornado
I went to dig a hole today during the day. I didn't do any questions. It was really black ==. I didn't find an arbitrary password reset until the afternoon.
It's so sleepy at night, and it's not suitable for other things. The amount of questions to do later may be reduced, and there is something to be busy.
See the question, this question is about tornado, the back-end framework of python, (I have used django and flask, but I have not used this, not so kind.)
Come in and see three labels
Went in next to it and took a look
/flag.txt
Here is flag in /fllllllllllllag
(tell where the flag is and what is the name
/welcome.txt
Here is render
(I do n’t know what is the use
/hints.txt
md5(cookie_secret+md5(filename))
Here is (tell how the filehash in the url is calculated
No clue, just visit/file?filename=/fllllllllllllag&filehash=9c5ad79deed65ab051dd902de00056fe
There is an error
Just add a single quote in the url and press Enter, it shows ORZ
? ? ? ?
Guess what is wrong, hit a few sqli payload, no gain
Suddenly remembered the ssti bug I wrote yesterday, try it
The result failed, I tried other methods, all failed, I do not know where the problem is
So I searched the tornado vulnerability and saw a wp
Probably speaking, in Tornado
the application settings can be handler.settings
accessed through .
Get itcookie_secret
cookie_secret
After you get it, just md5(cookie_secret+md5(filename))
calculate it
Finally, access /file?filename=/fllllllllllllag&filehash=xxxxxxxxx
to