Server Side Template Injection (SSTI) in jinja2 | CVE-2019-8341 | Snyk
Cheatsheet - Flask & Jinja2 SSTI
Understanding Server Side Template Injection in Flask Apps - Payatu
‣
__**mro__**/ mro()
: Method Resolution Object The mro attribute returns a tuple, while the mro() method returns a python list of of classes that are considered when looking for base classes during method resolution.
permite-nos subir na árvore de herança
__**subclasses__**
: Python3 introduced the subclasses() method which returns a long list of available Python classes.
Deixa rastrear a árvore de herança, permitindo-nos acessar todas as classes carregadas no ambiente python atual
Acessar subclasses do mro[1] = base
No geral só tem index 1 para o mro
Salvar csv em um arquivo e ver o índice da classe desejada
<class '_io._IOBase'>
: Ler Arquivos{{().__class__.__mro__[1].__subclasses__()[id do <class '_io._IOBase'>].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read()}}
<class 'subprocess.Popen'>
: RCE