The site allows us to upload an image, hitting the API endpoing of /api/alphafy.
This submits the image encoded as base64 to the backend, along with a background parameter, which is an array:
This appears to be the only functionality.
The backend code is Python Flask, with only two routes:
The alphafy page makes use of a function from application.util, called make_alpha.
We see the PIL ImageMath library in use, with an interesting function call to ImageMath.eval().
requirements.txt shows the PILLOW version to be 8.4.0.
A search for pillow 8.4.0 exploit returns an arbitrary code execution flaw in pillow versions less than 9.0.0, specifically in ImageMath.eval().
Link: https://security.snyk.io/vuln/SNYK-PYTHON-PILLOW-2331901
Viewing the linked github commit shows that the fix is to restrict python builtins to reduce the code possible to be called. The github shows an example of code execution in the rst file:
Therefore, if we look back at the applicaiton source, we see that we can control the ‘color’ variable as it gets the background parameter from our request and then passes this into ImageMath.eval: