堆栈内存溢出
  简体   繁体   English

从 Javascript 中读取 Flask 变量

[英]Read Flask variable from Javascript

 原文  2020-03-01 11:39:43       javascript/ flask/ xss

问题描述

I am doing a CTF challenge, but my question is not about how to solve it, rather the syntax.我正在做一个 CTF 挑战,但我的问题不是关于如何解决它,而是关于语法。 The challenge is to read the secret key in Flask server's configuration.挑战在于读取 Flask 服务器配置中的密钥。 It is stored in the app.secret_key variable and I want to alert it on the screen by XSS.它存储在app.secret_key变量中,我想通过 XSS 在屏幕上提醒它。

Question: how can I access that variable in Flask code from javascript and put it in <script>alert(variable)</script> snippet?问题:如何从 javascript 访问 Flask 代码中的该变量并将其放入<script>alert(variable)</script>片段中?

I tried <script type="text/javascript">let v="{{=app.secret_key}}"; alert(v); </script>我试过<script type="text/javascript">let v="{{=app.secret_key}}"; alert(v); </script> <script type="text/javascript">let v="{{=app.secret_key}}"; alert(v); </script> <script type="text/javascript">let v="{{=app.secret_key}}"; alert(v); </script> but it gave Internal Server Error. <script type="text/javascript">let v="{{=app.secret_key}}"; alert(v); </script>但它给出了内部服务器错误。

1 个解决方案

解决方案1
 0  2020-03-01 13:23:13

First, it must be said, in general you should should absolutely not do this .首先,必须说,一般情况下你绝对不应该这样做 app.secret_key should never, ever be exposed publicly and should be regarded as a closely guarded secret. app.secret_key永远不应该被公开,应该被视为严密保密的秘密。 Hence the name.由此得名。 But since you're doing this for presumably good reasons involving your game, let's continue.但是,既然您这样做可能是出于与您的游戏有关的充分理由,那么让我们继续。

Probably the simplest way to expose Python variables to JavaScript is directly in the template by dumping JSON.将 Python 变量暴露给 JavaScript 的最简单方法可能是通过转储 JSON 直接在模板中。 Consider this code:考虑这个代码:

import json

from flask import Flask, render_template

app = Flask(__name__)
app.secret_key = 'THIS IS SECRET'


@app.route('/')
def hello_world():
    server_vars = {
        'secretKey': app.secret_key,
        'favoriteFoods': ['Eggs', 'Spam']
    }

    return render_template(
        'hello.html',
        server_vars=json.dumps(server_vars)
    )


if __name__ == '__main__':
    app.run()

We're rendering the template hello.html and sending it a template variable, server_vars , which is a rendered JSON string of the same server-side variable, which is a dictionary.我们正在渲染模板hello.html并向它发送一个模板变量server_vars ,它是相同服务器端变量的渲染 JSON 字符串,它是一个字典。 This enables us to send any number arbitrary JSON-compatible variables to JavaScript.这使我们能够向 JavaScript 发送任意数量的任意 JSON 兼容变量。 See hello.html :hello.html

<!doctype html>
<html lang="en">
<head>
  <title>Document</title>
</head>
<body>
<script>
  window.serverVars = {{ server_vars | safe }};
  alert(window.serverVars.secretKey)
  console.log('btw, my favorite foods are', window.serverVars.favoriteFoods)
</script>
</body>
</html>

Notice that in addition to sending secretKey, we actually sent a Python list, which was converted into an array in JavaScript.注意,除了发送secretKey之外,我们实际上发送了一个Python列表,该列表在JavaScript中转换为数组。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从 Flask 读取 Javascript 中的变量名称 - Read a variable name in Javascript from Flask 如何从 Javascript 中读取 flask session 变量? - How can I read flask session variable from Javascript? 将变量从烧瓶传递给 javascript [烧瓶] - passing variable from flask to javascript [flask] 将变量从 JavaScript 发送到 Flask - Send variable from JavaScript into Flask 从Javascript将变量传递给Flask,然后加载模板 - Passing variable to Flask from Javascript and then loading template 将flask变量从javascript传递到html - Pass a flask variable from javascript to html 如何将变量从烧瓶传递给 javascript 函数? - how to pass a variable from flask to javascript function? 如何将变量从 Javascript 传递到 Flask - How to pass a variable from Javascript to Flask 有没有办法从 flask 触发 JavaScript function 或将 {{variable}} 传递给 ZDE9B9ED78DE?E - Is there a way to trigger a JavaScript function from flask or pass {{variable}} into javascript? 将 Flask 变量传递给 Javascript - Pass Flask variable into Javascript
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM