SSTI (Server-Side Template Injection)

Theory

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

Practice

Tools

Tplmap is a Server-Side Template Injection and Code Injection detection and exploitation tool.

./tplmap.py -u 'http://www.target.com/page?name=John'

Here is an handy one-liner to automate SSTI scans on multiple URLs using tools like gau, hakrawler, waybackurls, katana, uro, qsreplace, httpx, Gxss, Dalfox.

It may be usefull for bug bounty hunting

# tplmap from targets url file
for url in $(cat targets.txt); do python3 tplmap.py -u $url; print $url; done

Fuzzing

We have to identify input vectors that may not be properly sanitized in GET and POST parameters. For this, we may fuzz parameters using the following payload

${{<%[%'"}}%\

If an exception is raised, this indicates that the injected template syntax is potentially being interpreted by the server in some way.

Identify Template Engine

Once you have detected the template injection, the next step is to identify the template engine.

By manually testing different language-specific payloads and study how they are interpreted by the target, we may identify the template engine.

Payload

Template Engine/Framework/Language

a{*comment*}b

Smarty

#{ 2*3 }

Pug, Spring

*{ 2*3 }

Spring

${"z".join("ab")}

Mako, ???

{{ '7'*7 }}

Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ???

{{:2*3}}

JsRender

{% debug %}

Django

@(7*7)'

Razor (.NET)

Exploit

Once you have identified the engine, refers to the corresponding page to exploit it:

Resources

https://exploit-notes.hdks.org/exploit/web/security-risk/ssti/exploit-notes.hdks.org

Server-side template injection | Web Security AcademyWebSecAcademy

Last updated 7 months ago

hashtagTheory

hashtagPractice

hashtagTools

hashtagFuzzing

hashtagIdentify Template Engine

hashtagExploit

hashtagResources

Theory

Practice

Tools

Fuzzing

Identify Template Engine

Exploit

Resources