Server-Side Template Injection
A template that renders user input is a path to code execution. Drill detecting the engine and turning a math expression into a shell.
Confirm the injection by submitting a template expression and checking whether it is evaluated rather than echoed. A returned 49 from a 7*7 expression means the engine ran your input.
Fingerprint the engine from how different payloads behave, then use its object-traversal gadget chain to reach OS command execution and read the flag.
How the attack works
- Submit a math expression where input is reflected to see if the template evaluates it.
{{7*7}} - Confirm and fingerprint the engine — each accepts different syntax.
${7*7} #{7*7} <%= 7*7 %> - Reach a command primitive via the engine's globals (Jinja2 example).
{{ cycler.__init__.__globals__.os.popen('id').read() }} - Run a command that reads the flag.
On PwnKata the binary, account, and paths change every rep — so you drill the recognition, not this exact command.
What you'll practice
Sourced from
Server-Side Template Injection
A template that renders user input is a path to code execution. Drill detecting the engine and turning a math expression into a shell.
Recover the flag at /root/flag.txt and submit it.
Drill this now
Spin up a live isolated target and start practicing in seconds — free.