After playing around for a while, we found that some characters are blocked, including: $*_+[]"'/%
Also, we found that % will make server returns internal server error, and ## works like comment.
It looks like a SSTI challenge, so we need to find what is the template behind it. In order to get more information, I try to randomly send invalid to the server, like this: POST generate HTTP/1.1, and luckily server responds with:
HTTP/1.1 400 Bad Request
Content-Length: 133
Content-Type: text/plain
Invalid path in Request-URI: request-target must contain origin-form which starts with absolute-path (URI starting with a slash "/").
After looked at the docs, this part gets my attention:
CherryPy does not provide any HTML template but its architecture makes it easy to integrate one. Popular ones are Mako or Jinja2.
I checked Mako and it uses <% %> and ## as comment, my teammate use this loop to confirm it's Mako:
% for a in (1,2,3):
1
% endfor
The SSTI payload we found on the internet are all about <% %> and ${}, but %> and $ are both blocked, what should we do?
The answer might be simple but took us some times to discover:
% for a in (self.module.cache.util.os.system(name),2,3):
1
% endfor
% block can also run python code, and we can leverage os.system and name parameters to run command.
At first, I tried to send a request to my server but failed. Suddenly, I remembered that in the home page it said the template is stored at ./templates, so I created a file and tried to read it, success!
In the end, we used this payload cat /flag > ./template/huli.html and read the file from http://124.71.178.252/view/huli.html
After playing around for a while, we found that some characters are blocked, including:
$*_+[]"'/%
Also, we found that
%
will make server returnsinternal server error
, and##
works like comment.It looks like a SSTI challenge, so we need to find what is the template behind it. In order to get more information, I try to randomly send invalid to the server, like this:
POST generate HTTP/1.1
, and luckily server responds with:I searched for this text, found this https://github.com/cherrypy/cheroot/blob/master/cheroot/server.py#L900 and then this python web framework: CherryPy.
After looked at the docs, this part gets my attention:
I checked Mako and it uses
<% %>
and##
as comment, my teammate use this loop to confirm it's Mako:The SSTI payload we found on the internet are all about
<% %>
and${}
, but%>
and$
are both blocked, what should we do?The answer might be simple but took us some times to discover:
%
block can also run python code, and we can leverageos.system
andname
parameters to run command.At first, I tried to send a request to my server but failed. Suddenly, I remembered that in the home page it said the template is stored at
./templates
, so I created a file and tried to read it, success!In the end, we used this payload
cat /flag > ./template/huli.html
and read the file fromhttp://124.71.178.252/view/huli.html