webmedium

No Quotes

uoftctf2026

Task: Flask app with SQL injection in login (f-string query) and SSTI in home page (render_template_string), protected by a WAF blocking quotes. Solution: Used backslash escape to break out of the SQL string context, injected a UNION SELECT with hex-encoded Jinja2 SSTI payload (lipsum.__globals__.os.popen), and passed the command via request.args to avoid quotes.

$ ls tags/ techniques/
waf_bypasssqlimysqlflasksstijinja2
backslash_escapehex_encodingunion_selectssti_rce
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]