search

ERPNext (SQLi -> SSTI)

hashtag
πŸ§ͺ SSTI Exploitation Checklist (Jinja2)

hashtag
βœ… 1. Confirm SSTI

  • Inject {{7*7}} or {{1337}} and check for evaluation.

  • Try {% set var = "test" %} to test logic blocks.

hashtag
πŸ”“ 2. Bypass Filters

  • Use |attr() to access attributes dynamically.

  • Example: {{ "ssti"|attr("__class__") }}

hashtag
🧬 3. Access MRO (Method Resolution Order)

{% set string = "ssti" %}
{% set class = "__class__" %}
{% set mro = "__mro__" %}
{% set mro_r = string|attr(class)|attr(mro) %}
{{ mro_r[1] }}

hashtag
🧬 4. List Subclasses

hashtag
πŸ” 5. Identify Useful Classes

  • Look for subprocess.Popen, os.system, etc.

  • Use indexing to access specific class:

hashtag
πŸ’£ 6. Execute Commands

hashtag
🧼 7. Clean Output

  • Use VS Code or a script to format subclass output.

  • Replace ", " with newlines for easier indexing.

PreviousDotNetNuke (Deserialization RCE)NextChallenges

Last updated