Skip to content

Home

Jump to bottom
Jennings Zhang edited this page Sep 13, 2019 · 3 revisions
  1. Notice that flask is a dependency.
  2. flag.txt is being used as app.secret_key.
  3. HTTP POST to /maga will return a page that displays user input.
  4. The function render_template_string is called.
  5. Flask documentation

Flask leverages Jinja2 as template engine.

  1. Jinja templates uses mustaces (aka handlebars or double braces) for substituting variables.

  2. Flask exposes global variables to jinja2.

  3. flask.config variable holds a key-value pair to app.secret_key.

  4. Submit {{config}} into the phone text field on the form on /index.html. Flag is revealed in output.

If you google "python flask exploit," this is the first result: https://nvisium.com/resources/blog/2015/12/07/injecting-flask.html

Clone this wiki locally