Server Side Template Injection 01
This exercise is one of our challenges on Server-Side Template Injection
Course
In this exercise, we delve into a real-world example of a Server-Side Template Injection (SSTI) vulnerability as reported on Hackerone. The lab specifically targets a bug found in the 404 error management of a Flask web application. By manipulating the error handling code, you can inject malicious payloads that lead to code execution.
The lab begins with a detailed code review of the vulnerable Flask application. It highlights how the use of `{{''.__class__.mro()[1].__subclasses__()}}` can expose various Python classes, including `subprocess.Popen`, which can then be exploited to run arbitrary commands. The lab guides you through identifying the right index for `subprocess.Popen` and crafting the payload to achieve remote code execution. Additionally, the importance of reading Python documentation is emphasized to ensure the correct syntax and options are used.