Welcome to the Ginger Juice Shop, where you can explore and learn about Server-Side Template Injection (SSTI) vulnerabilities in a safe and controlled environment. This application provides two scenarios for practicing SSTI exploitation: a basic example and a more advanced challenge with input restrictions. I hosted this live as well in case if you are sloth bear like me, Use the live link here at:
['__', 'class', 'mro', 'subclasses', 'eval', 'exec', 'import', 'os', 'sys', '.', '_', 'config']
Before setting up the application, make sure you have the following installed on your machine:
- Python 3.7 or later: Download Python
- Flask: Usually comes by default in many newer debian distro if not just install it by using
pip3 install flask
- Clone the repository:
git clone https://github.com/dr34mhacks/Ginger-juice-shop.git- Navigate to the project directory:
cd ginger-juice-shop- Running the application:
flask run
This will start a local server, and you can access the application by navigating to http://127.0.0.1:5000 in your web browser.
The application provides two routes for exploring SSTI:
- Basic SSTI (
/): A simple form where you can input your name to test basic SSTI exploitation. - Advanced SSTI (
/hard): A more challenging form with a blacklist filter to prevent common SSTI payloads.
- Understand how SSTI vulnerabilities occur in web applications.
- Learn how to construct payloads to exploit SSTI in a safe environment.
- Explore techniques to bypass input filters and security mechanisms.
- Learn to abuse various dangerous functions of python to chain RCE
- gain rce
- get the flag.txt via RCE
This application is intended for educational purposes only. Do not use these techniques on systems without explicit permission. Always practice ethical hacking and responsible disclosure.
Feel free to submit issues or pull requests for enhancements or bug fixes. Contributions are welcome!
This project is licensed under the MIT License
Happy Hunting! 🛡️🔍