10 character SSTI payload

I’ve found a Jinja2 (I think) Server-Side Template Injection vulnerability in a private program via the username. However, usernames can not be longer than 10 characters, and the program requires a PoC that shows an actual security impact ( {{7*7}} not sufficient). Are there any SSTI exploit payloads that are 10 characters or less?

@waike try these below payloads and try to understand the environement.

{{self}}
{{config}}
{{Bold Text}}
{{‘abcd’.toUpperCase()}}

1 Like