I'm doing a web CTF that contains a SSTI vulnerability in a Jinja2 template, so I can use curly brackets. However, every special word like class, base, mro, etc. And every special symbol is filtered except for (),_,%,[] and + sign.
How can I build a exploit that bypasses these filters and do a RCE escape? I didn't find any reference at Internet and I'm doing for a college job, so this may be inedit.
[link] [comments]
from hacking: security in practice https://ift.tt/yYEhMiD
Comments
Post a Comment