Category: Web

Points: 100



from flask import Flask, render_template, request
import html
import os

app = Flask(__name__)

def index():
    return render_template('index.html')

blacklist = ["flag", "cat", "|", "&", ";", "`", "$"]

def backend():
    for word in blacklist:
        if word in request.args['query']:
            return "Stop hacking.\n"
    return html.escape(os.popen(f"sed {request.args['query']} stuff.txt").read())

From reading the source code we can see that we can't use command injection. But we can add all the file to sed with a simple payload '' * where * means to include all the files the directory.

And then searching of "ictf" in browser we can find the flag.

SaaS 1