Tags: template-injection python 

Rating: 3.3

There is a website at: `http://challenges2.hexionteam.com:2001/`. The website allows to store some notes. It works normally, but in the looking into the page you can find the hidden message saying:

```

```

Under the `/notes` url we can find the API that returns an array of the notes we've stored. If we try to add note like with `{{7+7}}` on the main page we see just that, but in the API it returns `14`. This means that there is a template injection vulnerability.

You can find a lot of [good payloads here](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) but none works out of the box. I had to play with this a bit. Eventually I've found that using this I can display list of all loaded classes:

```
{{''.__class__.mro()[1].__subclasses__()}}
```

Especially two of them seemed to be useful: `subprocess.Popen` and `gevent.subprocess.Popen`. As I could not get regular Popen to work I've tried with the gevent one. Payload like this worked like a charm:

```
{{(''.__class__.mro()[1].__subclasses__()[425])(['cat', '/home/site/flag'], -1, None, None, -1).communicate()[0]}}
```

The flag was: `hexCTF{d0nt_r3nder_t3mplates_w1th_u5er_1nput}`