Solid video, never thought of making function calls from within templates. You explained it well, and the drawing make it super easy to follow along! Keep it going man
Thanks a LOT for that python knowledge! I'm stuck on a python CTF challenge for a long time, and now i made a huge step. Still not done but now I have acces to sys, not to os.
If you want to know which class of __subclasses__() contains sys/os, you can simply execute the following code and get the position of the module in the subclasses list: class_l = ''.__class__.__base__.__subclasses__() for i, val in enumerate(class_l): try: val.__init__.__globals__['sys'] print(i, val) except: pass
The most interesting things is the beautiful simple website style design you making. I wonder what are you using to make these simple website (Front-end) for the back-end its clear you are using python flask.
I mostly use Python with Flask for backend because it has a very simple boilerplate code to get started with. For the frontend, I mostly write CSS from scratch. It's probably not the best thing, I should prolly write a small CSS library to keep the styles consistent across videos, but they look mostly the same because I have memorized styles with colors I usually go with.
Cool video, but When you say that jinja limits the templates, so that you cannot import, instead of doing "import os; os.system('id')", you could try "__import__('os').system('id')". [ I don't know if that works, just a suggestion to include in the video ]
Hi ! Thx for the video, I love that format really nice ! I have question, I still don't understant how did you get from .__base__.__subclasses__() to .__base__.__subclasses__()[141] where did you find the 141 value ? Also how did you know that 'warnings.catch_warnings' contain an "import sys" ? Thank you :)
i tried your code on ipython and it doesnt work, because the 142 subclass is not the same as you and it doesnt include a class importing sys a more generic approach would be to use list comprehension to get the package you wish but i dont know if that would be exec in jinga: [x.__init__.__globals__["sys"] for x in ''.__class__.__base__.__subclasses__() if '__globals__' in dir(x.__init__) and "sys" in x.__init__.__globals__][0].modules["os"].yournastythings also, nice video :)
Technically the reason why the first attempt didn't work was because you had a statement in a place where jinja expected an expression but yes __ import __ also doesn't work in this case
I missed you so much, you are such a inspiration for me continuing researching and learning hacking stuff
Dude I love your videos!
I am a Software Engineer and you videos gave me an easy first look into some security topics
Love the Mr. Robot reference
Crazy! Great content and loved the background music XD
glad to see you back after a while..be continue as soon as you can
Solid video, never thought of making function calls from within templates. You explained it well, and the drawing make it super easy to follow along! Keep it going man
This is so far, one of my favorite internet videos. Amazing to this channel popped up on my UA-cam feed. Thanks for sharing, brilliant video!
I've watched a handful of videos on this channel so far and the majority of them were new methods of hacking I was completely unaware of! great job!
literally this is the best channel in UA-cam
Great content! Been waiting for another video for a while now, but it's finally here! :D
Long time no see :]
you give off a kind of LiveOverflow vibe and i love it
you are now my new fav channel for when I go back to the basics you make it so much more fun!
Lesson: sanitize user input.
Golden contents!
the quality of these videos are just excellent, lots of love dude, keep posting more like these :)
I like you attitude,your accent and voice and also the content you deliver keep making such things for us thank you
Thanks a LOT for that python knowledge! I'm stuck on a python CTF challenge for a long time, and now i made a huge step. Still not done but now I have acces to sys, not to os.
0:33 nice reference
So glad to see you are back!!! Missed your videos!
I work with flask professionally I never did this error but this is good to keep in mind thank you
Missed you
Thank you. I have been struggling to get my head around this 1 for days
Nice of you to play my all time favorite song ever in the background
The king is back
Seen something very useful after months... Thanks man
This is so well done. Great videos on your channel.
glad to see you back
This was eyeopening. Well done. Subbed.
0:37 I like the Mr. Robot names you used in there
Top notch presentation! 👌
Keep up the great work man!
If you want to know which class of __subclasses__() contains sys/os, you can simply execute the following code and get the position of the module in the subclasses list:
class_l = ''.__class__.__base__.__subclasses__()
for i, val in enumerate(class_l):
try:
val.__init__.__globals__['sys']
print(i, val)
except:
pass
Please Make Alot Of Videos! I love learning things like this! 🤩
Those tweets on the example website are too funny
great work!! short and sweet, keep it going please!
That was amazing
And im not even a Python coder
Dude this is cool. Really well explained
0:36 i like the Mr Robot allusions
DAAAAD WHERE HAVE YOU BEEN I MISSED YOU
Can this be bypassed by exec(compile(“import os; os.system(‘id’)”))
Love your videos man!
man please dont stop ur videos please
like the way you explained and this theme for displaying code
Very interesting video. Also perfect length!
The most interesting things is the beautiful simple website style design you making.
I wonder what are you using to make these simple website (Front-end) for the back-end its clear you are using python flask.
I mostly use Python with Flask for backend because it has a very simple boilerplate code to get started with. For the frontend, I mostly write CSS from scratch. It's probably not the best thing, I should prolly write a small CSS library to keep the styles consistent across videos, but they look mostly the same because I have memorized styles with colors I usually go with.
@@PwnFunction Thank you so much for the reply. I really appreciate that.
Your videos are amazing and hilarious! Keep it up! :)
The legend is back
Such an awesome explaination. Thanks man
That was an amazing video! Thank you.
Great explaination with great art works
Immediately press like button before watching...
The math teacher I’ve always wanted
Love the Mr. Robot references.
wonderful video mate ... explained very well
Simple and Solid Explanation ❤
Nice video dude keep up
You're back!😄
LOL I FLINCHED WHEN HE SAID "SUPRISE MOTHER FU". pls keep teaching
Such a great video in very low audio humiliate the home theater`s full vol sound.
hes backkkkk!!!!!11!!!!!11!1!
Cool video, but
When you say that jinja limits the templates, so that you cannot import, instead of doing "import os; os.system('id')", you could try "__import__('os').system('id')".
[ I don't know if that works, just a suggestion to include in the video ]
Yes, I've tried using the special methods, jinja errors out, doesn't seem to let you import at all :(
Thanks for sharing this, it's very insightful! Looks like it's time for me to review my code lol
Welcome Back !
rap @ 6:13
Love you so much, thanks do great video's :D
Very Educational video
keep it up
Loved it!!! Great video!
In germany 7*7 is 'feiner sand' (fine sand) cause 7 sounds like the verb to sieve
boy o boi , i got so many bugs in live applications after learning basics from here
Lov ur all topics 😍😎😎
Great explanation...you are amazing...
Great teaching, expecting more... From u
3:15 British people getting stabbed like:
"Oit there mate, bit rude to put that knoife in me chest innit?"
LMAO
I think this would be good to watch after the entire Log4J part :P
Thanx alot for the awsome videos brother.
Missed you !
this video is awesome thanks!
7*7=SSTI 😅
Another great video
I love those Mr Robot references 🤣
Best explanation!
Very useful thank you for this
Bril jus bril bro! ❤️
LMAO Surprise!!! Way To Good 👍 Keep The Videos Coming 😉
Well made video!
Awesome Content 🔥
I would argue that services that still use server side rendering these days aren't worth attacking...
I like your videos.
keep it up :)
The way python sir enters😌😂
Is gadget which your are talking. related to gadget chain?
Me realising my website is vulnerable to this via a cookie
what do you mean when you say to not make (input + code) together?
thanks bro for that video!
Your video is so awesome
Hi ! Thx for the video, I love that format really nice !
I have question, I still don't understant how did you get from .__base__.__subclasses__() to .__base__.__subclasses__()[141] where did you find the 141 value ? Also how did you know that 'warnings.catch_warnings' contain an "import sys" ? Thank you :)
i tried your code on ipython and it doesnt work, because the 142 subclass is not the same as you and it doesnt include a class importing sys
a more generic approach would be to use list comprehension to get the package you wish but i dont know if that would be exec in jinga:
[x.__init__.__globals__["sys"] for x in ''.__class__.__base__.__subclasses__() if '__globals__' in dir(x.__init__) and "sys" in x.__init__.__globals__][0].modules["os"].yournastythings
also, nice video :)
Greeeeeat 🎉
Damn. This is so cool!
Does jinja filter out __import__?
Your intro music is cool
Technically the reason why the first attempt didn't work was because you had a statement in a place where jinja expected an expression but yes __ import __ also doesn't work in this case