NEW!!
SSTI1
mrmo7ox
March 21, 2025
## Description I made a cool website where you can announce whatever you want! Try it out! Additional details will be available after launching your challenge instance.
when we visit the website we see that we have an input field and if we read the challenge name its a abbreviation of Server-side template injection.
it means that we need to enter a text into to the input field and then the back-end will execute that input
so first we need to know what language the back-end build with
i will try to check the network tab
as u can see the bottom
server: Werkzeug/3.0.3 Python/3.8.10
that mean that we need a python code injection so will will try:
that mean that we need a python code injection so will will try:
{{9*9}}
why:
because flask and Django use this to add variables to the html and if we change in the html age and the back-end execute it and it will give the result for the multiplication let’s try
that mean it works
so if we search about Server-side template injection with python we will find alots of payloads that we can use
the one we can use if this
so if we search about Server-side template injection with python we will find alots of payloads that we can use
the one we can use if this
{{request.application.__globals__.__builtins__.__import__('os').popen('ls -la').read()}}
why:
request.application.__globals__.__builtins__.__import__('os'): This part accesses theosmodule by using the__import__function from Python’s built-in functions..popen('id').read(): This executes thelscommand on the server using thepopenmethod from theosmodule and reads the output of that command.
so lets try it :
so the command got executed on the server and send us back the results , you can see the flag we can change the command to print the flag :
{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag').read()}}
now ur turn print the flag using the command
picoCTF{s4rv3r_s1d3_t3mp14t3_1nj3ct10n5_4r3_c001_df9a00a0}