First, we need to “View details” of a product and click “Edit template”. We can see that the template get data by using {{product.name}}
.
Changing it to {{7*7}}
and click “Preview” raised an exception with the name of the template which is Django template.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/01/image-43.png?w=1024)
According to this guide about SSTI (Server Side Template Injection), to find the framework’s secret key we use:
{{settings.SECRET_KEY}}
![](https://niekdang.wordpress.com/wp-content/uploads/2021/01/image-45.png?w=1024)
![](https://niekdang.wordpress.com/wp-content/uploads/2021/01/image-46.png?w=1024)