Wargame/Dreamhack

[Web] simple-ssti

λ‚¨λ°”μ˜€ 2023. 2. 25. 17:32

https://dreamhack.io/wargame/challenges/39/

 

simple-ssti

μ‘΄μž¬ν•˜μ§€ μ•ŠλŠ” νŽ˜μ΄μ§€ λ°©λ¬Έμ‹œ 404 μ—λŸ¬λ₯Ό 좜λ ₯ν•˜λŠ” μ„œλΉ„μŠ€μž…λ‹ˆλ‹€. SSTI 취약점을 μ΄μš©ν•΄ ν”Œλž˜κ·Έλ₯Ό νšλ“ν•˜μ„Έμš”. ν”Œλž˜κ·ΈλŠ” flag.txt, FLAG λ³€μˆ˜μ— μžˆμŠ΅λ‹ˆλ‹€. Reference Server-side Basic

dreamhack.io

Code

#!/usr/bin/python3
from flask import Flask, request, render_template, render_template_string, make_response, redirect, url_for
import socket

app = Flask(__name__)

try:
    FLAG = open('./flag.txt', 'r').read()
except:
    FLAG = '[**FLAG**]'

app.secret_key = FLAG


@app.route('/')
def index():
    return render_template('index.html')

@app.errorhandler(404)
def Error404(e):
    template = '''
    <div class="center">
        <h1>Page Not Found.</h1>
        <h3>%s</h3>
    </div>
''' % (request.path)
    return render_template_string(template), 404

app.run(host='0.0.0.0', port=8000)

 

Write Up

μœ„μ˜ μ½”λ“œλ₯Ό 보면 404μ—λŸ¬ νŽ˜μ΄μ§€μ—μ„œ %request.pathλ₯Ό λ°˜ν™˜ν•΄μ€€λ‹€λŠ” 것을 μ•Œ 수 μžˆλ‹€.

404Error λŒ€μ‹  μ›ν•˜λŠ” μˆ˜μ‹μ„ μ¨λ³΄λ‹ˆ, {{10*10}} 을 넣은 κ²½μš°μ— ν…μŠ€νŠΈ κ·ΈλŒ€λ‘œ λ“€μ–΄κ°€λŠ” 게 μ•„λ‹Œ κ³„μ‚°λœ 값이 좜λ ₯λ˜λŠ” 것을 확인할 수 μžˆλ‹€. 이 λΆ€λΆ„μ—μ„œ ssti 취약점을 μ΄μš©ν•˜λ©΄,

이 λΆ€λΆ„μ—μ„œ ssti 취약점을 μ΄μš©ν•˜μ—¬, {{config.items()}}λ₯Ό μž…λ ₯ν•˜λ©΄,

ν”Œλž˜κ·Έ νšλ“