Reference blog ：Python From the server-side template injection to sandbox escape source code exploration ( One ) - The prophet community (aliyun.com)

XCTF series // Web | easytornado_Ga1axy_z The blog of -CSDN Blog

Tornado

Tornado yes Python Development of the whole trestle （full-stack) Web Framework and asynchronous network library , yes Python A kind of Web Development framework

Tornado Template injection of

adopt welcome.txt We can see

  Obviously , The question is render Template Injection

render Templates ：

render yes python A rendering function in , That is, a template , The parameters through the call are different , Generate different web pages , When the user render When the content is controllable , You can inject xss

and flask The principle of template injection is similar

flask Template Injection _jjj34 The blog of -CSDN Blog _flask Template Injection

Analysis topic

From this file , We can know ,filehash The value of is md5( cookie_secret+md5(filename)) 

  From this file , We can see flag stay /fllllllllllllag in  

therefore We have direct access to  /fllllllllllllag file

Obviously , The utilization point appears  

There is a filter

According to the tips seen above, there are cookie_secret So we passed handler.setting Look for cookie_secret

tornado Source code is as follows

  Construct according to the source code payload

1.cookie_secret Store in settings in

2.settings Passed to as a parameter Application Constructor for , So you can use self.application.settings To get cookie

3. According to official documents ,RequestHandler.settings Its alias is self.application.settings also handler Point to processing the current page RequestHandler object , So you can use handler.settings To get cookie_secret

So our payload by

http://111.200.241.244:50619/error?msg={
   {handler.settings}}

Get cookie Then there is the process md5 encryption , Work out filehash value

Encrypted website ：md5 Online decryption ,md5 Decryption encryption (cmd5.com)

filehash = md5(cookie_secret + md5( /fllllllllllllag))

1. take  /fllllllllllllag Conduct md5 encryption obtain x1

2. take x1 And cookie_secret After splicing x2

x2 That's what we want filehash

Solve the problem successfully