-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.py
33 lines (26 loc) · 960 Bytes
/
index.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from flask import Flask, request, render_template_string, render_template
app = Flask(__name__)
@app.route('/')
def hello_world():
return '<a href="/hello-template-injection?name=Jack">Hi jack!</a>'
@app.route('/hello-template-injection')
def hello_ssti():
person = {'name':"world", 'secret':"UGhldmJoZj8gYWl2ZnZoei5wYnovcG5lcnJlZg=="}
if request.args.get('name'):
person['name'] = request.args.get('name')
template = '''<h2>Hello %s!</h2>''' % person['name']
return render_template_string(template, person=person)
####
# Private function if the user has local files.
###
def get_user_file(f_name):
with open(f_name) as f:
return f.readlines()
app.jinja_env.globals['get_user_file'] = get_user_file # Allows for use in Jinja2 templates
if __name__ == "__main__":
#app.run(debug=True)
app.run(
host="192.168.33.101", #ip adress binding myself
port=int("5000"),
debug=True
)