ssti automation bypass tool

Jun 20, 2025#ctf85

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

The document introduces "Fenjing," an automated SSTI bypass tool designed for CTF competitions. It allows users to automatically attack specified websites or APIs, eliminating the need for manual testing against WAFs. Installation is straightforward via `pip3 install fenjing`, followed by launching the tool with `fenjing webui`. Users can input parameters such as the target URL, request method (POST), and form fields (username, password) to analyze and automatically iterate through payloads. Successful attempts will prompt a notification, and users can view the flag by executing the command `cat /flag`. The project is available on GitHub at https://github.com/Marven11/Fenjing.

SSTI Automation Bypass Tool#

During a CTF competition, I encountered a problem related to SSTI and discovered a tool, the SSTI automation bypass tool.

Project address: https://github.com/Marven11/Fenjing

Introduction: Fenjing is a fully automated script for bypassing WAF in Jinja SSTI during CTF competitions. It can automatically attack a given website or interface, saving time on manual testing of interfaces and fuzzing WAF challenges.

Installation and Usage

pip3 install fenjing
fenjing webui

3d98a2c2265de66761bfef7f8ac7e494_MD5

Open the link, the interface is as follows:

a7feee11108bb56bdc1b8cb857aed3a6_MD5

Fill in the parameters

Target link: http://xx.xx.xx.xx:18055/login
Request method: POST
Form input: You need to fill in the form fields, username, password

Start analysis, and it will automatically iterate through payloads. Upon success, there will be a prompt, and then use the output cat /flag command to view the flag.