ssti automation bypass tool

Jun 20, 2025#ctf27

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

The document introduces an automated tool for bypassing SSTI (Server-Side Template Injection) in CTF (Capture The Flag) competitions called "Fenjing." This tool automates attacks on specified websites or APIs, saving time on manual testing. To install and use it, run: ``` pip3 install fenjing fenjing webui ``` After launching the web interface, users can input parameters such as the target URL, request method (POST), and form fields (username and password). The tool will then analyze and automatically traverse payloads, providing success notifications and allowing users to view the flag with the command `cat /flag`. Project link: [Fenjing GitHub](https://github.com/Marven11/Fenjing)

SSTI Automation Bypass Tool#

During a CTF competition, I encountered a problem related to SSTI and discovered a tool, the SSTI automation bypass tool.

Project address: https://github.com/Marven11/Fenjing

Introduction: Fenjing is a fully automated script for bypassing WAF in Jinja SSTI during CTF competitions. It can automatically attack the given website or interface, saving the time of manually testing the interface and fuzzing the WAF.

Installation and Usage

pip3 install fenjing
fenjing webui

3d98a2c2265de66761bfef7f8ac7e494_MD5

Open the link, the interface is as follows:

a7feee11108bb56bdc1b8cb857aed3a6_MD5

Fill in the parameters

Target link: http://xx.xx.xx.xx:18055/login
Request method: POST
Form input: You need to fill in the form fields, username, password

Start analysis, and it will automatically traverse the payload. After success, there will be a prompt, and then output the command cat /flag to view the flag.