Server Side Template Injection 01
This exercise is one of our challenges on Server-Side Template Injection
In this exercise, we delve into a real-world example of a Server-Side Template Injection (SSTI) vulnerability as reported on Hackerone. The lab specifically targets a bug found in the 404 error management of a Flask web application. By manipulating the error handling code, you can inject malicious payloads that lead to code execution.
The lab begins with a detailed code review of the vulnerable Flask application. It highlights how the use of {{''.__class__.mro()[1].__subclasses__()}} can expose various Python classes, including subprocess.Popen, which can then be exploited to run arbitrary commands. The lab guides you through identifying the right index for subprocess.Popen and crafting the payload to achieve remote code execution. Additionally, the importance of reading Python documentation is emphasized to ensure the correct syntax and options are used.