[WesternCTF2018] shrine template injection
Open the topic to view the source code, give the python code, see flask, and think of template injection.
You can test it like this:
Look at the source code. It is app.config['FLAG'] = os.environ.pop('FLAG')
speculated that {
{config}} can view all app.config contents, but this topic has a blacklist ['config',' self'] and the parentheses are filtered,
but python also has some built-in functions, such as url_for
andget_flashed_messages
url_for
current_app means it should be the current app, then we have the config under the current app: the
flag has come out
get_flashed_message
Similarly:
/shrine/{
{
get_flashed_messages.__globals__['current_app'].config['FLAG']}}
Reference link:
https://www.cnblogs.com/wangtanzhi/p/12238779.html
https://www.jianshu.com/p/aef2ae0498df