BUUCTF [WesternCTF2018]shrine

Others 2020-09-22 15:15:33 views: null

[WesternCTF2018] shrine template injection

Insert picture description here
Open the topic to view the source code, give the python code, see flask, and think of template injection.
You can test it like this:
Insert picture description here
Look at the source code. It is app.config['FLAG'] = os.environ.pop('FLAG')
speculated that { {config}} can view all app.config contents, but this topic has a blacklist ['config',' self'] and the parentheses are filtered,
but python also has some built-in functions, such as url_forandget_flashed_messages

url_for
Insert picture description here
current_app means it should be the current app, then we have the config under the current app: the
Insert picture description here
flag has come out

get_flashed_message

Similarly:

/shrine/{
    
    {
    
    get_flashed_messages.__globals__['current_app'].config['FLAG']}}

Insert picture description here

Reference link:
https://www.cnblogs.com/wangtanzhi/p/12238779.html
https://www.jianshu.com/p/aef2ae0498df

Guess you like

Origin blog.csdn.net/qq_42812036/article/details/104324923
Recommended
Ranking
Reason Codes enhanced accounting documents
The first test case appium
Force command and dispatch emergency communication plan
Interview - What is concurrent programming
21 classic Python interview questions [recommended collection]
[Dahua Data Structure-Introduction to Data Structure ①]
Spring @ConfigurationProperties
Why do we want to broadcast live on WeChat public account? What are the advantages?
How to bring up the toolbar under the desktop of Apple laptop
Dialog: Manually enter information
Daily
More
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)

Code World

© 2018 codetd.com