@HomeSen said:
Have you tried using alternative parentheses? Like e.g. the UTF-8 full-width characters? Maybe the filter is somewhere in front and Jinja gracefully converts them back, for you.
os.system(‘id’)
aka.os.system%uff08'id'%uff09
I owe you at least a small beer!
It progressed slightly - getting server errors now but that could be down to all the ■■■■ I’ve been throwing at it.
So far it looks like this bypassed at least part of the content filtering.
EDITED TO ADD
Might have been a bit too optimistic. It just generates HTTP500s even with a clean boot, I think its breaking the content filter rather than bypass. Also it s a lot of characters when I only have 45 to play with.
But I am genuinely indebted to @HomeSen for the nudge here.