Pentesting

Magic Methods

Class Methods

You can access the methods of a class using __dict__.

You can access the functions

Object class

Attributes

You can access the attributes of an object using __dict__. Example:

Class

You can access the class of an object using __class__

You can access the methods of the class of an object chainning magic functions:

Server Side Template Injection

Interesting functions to exploit this vulnerability

__init__.__globals__
__class__.__init__.__globals__

Inside the response search for the application (probably at the end?)

Then access the environment content of the application where you will hopefully find some passwords of interesting information:

__init__.__globals__[<name>].config
__init__.__globals__[<name>].__dict__
__init__.__globals__[<name>].__dict__.config
__class__.__init__.__globals__[<name>].config
__class__.__init__.__globals__[<name>].__dict__
__class__.__init__.__globals__[<name>].__dict__.config

More Information