forty-nine writeup
Ankeet1729 opened this issue · comments
Ankeet1729 commented
I have a few doubts in your writeup. Firstly how did you come up with trying ${{7*7}}... And how did you know that {% could bypass {{...
And also after that why couldn't we just directly try "cat flag.txt" instead of "{% print(x.init.globals.builtins.import("os")["popen"]("cat flag.txt").read()) %}"... Like how did you know that the framework is using python? I am just a beginner in CTFs and helping this kid out will be really appreciated :)
Muhammad Daffa commented
- As usual I always tried any payload such as SQLi, Command Injection, etc. And because this website is using python, you can check this
- Read this
- Because it's SSTI vulnerability
- You can check the HTTP response header. If you found
Werkzeug
/Python
in the response header, that means the website uses python
Ankeet1729 commented
Alright, thanks for the help. It is clearer to me now