Languages frequently have means for including external code directly.
$MessageFile = "cwe-94/messages.out";
if ($_GET["action"] == "NewMessage") {
$name = $_GET["name"];
$message = $_GET["message"];
$handle = fopen($MessageFile, "a+");
fwrite($handle, "<b>$name</b> says '$message'<hr>\n");
fclose($handle); echo "Message Saved!<p>\n";
} else if ($_GET["action"] == "ViewMessages") {
include($MessageFile);
}
from flask import Flask, render_template_string, request
app = Flask(__name__, static_url_path='/static')
@app.route("/")
def home():
user = request.args.get('user') or None
template = '<html><head><title>SSTI demo app</title></head><body>'
if user == None:
template = template + '''
<h1>Login Form</h1><form>
<input name="user" value="Username"><br>
<input type="submit" value="Log In">
</form>'''.format(user)
else:
template = template + '''
<h1>Hi {}</h1>
Welcome to the vulnerable app!'''.format(user)
return render_template_string(template)
if __name__ == '__main__':
app.run()