SSTI (Server-Side Template Injection)
Last updated
Last updated
Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
Tplmap is a Server-Side Template Injection and Code Injection detection and exploitation tool.
We have to identify input vectors that may not be properly sanitized in GET and POST parameters. For this, we may fuzz parameters using the following payload
If an exception is raised, this indicates that the injected template syntax is potentially being interpreted by the server in some way.
Once you have detected the template injection, the next step is to identify the template engine.
By manually testing different language-specific payloads and study how they are interpreted by the target, we may identify the template engine.
| Payload | Template Engine/Framework/Language |
|---|---|
Once you have identified the engine, refers to the corresponding page to exploit it:
a{*comment*}b
Smarty
#{ 2*3 }
Pug, Spring
*{ 2*3 }
Spring
${"z".join("ab")}
Mako, ???
{{ '7'*7 }}
Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ???
{{:2*3}}
JsRender
{% debug %}
Django
${}
{{}}
<%= %>
${7/0}
{{7/0}}
<%= 7/0 %>
${foobar}
{{foobar}}
<%= foobar %>
${7*7}
{{7*7}}
``
