SSTI (Server-Side Template Injection)
Theory
Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
Practice
Tools
Tplmap is a Server-Side Template Injection and Code Injection detection and exploitation tool.
./tplmap.py -u 'http://www.target.com/page?name=John'Here is an handy one-liner to automate SSTI scans on multiple URLs using tools like gau, hakrawler, waybackurls, katana, uro, qsreplace, httpx, Gxss, Dalfox.
It may be usefull for bug bounty hunting
# tplmap from targets url file
for url in $(cat targets.txt); do python3 tplmap.py -u $url; print $url; doneFuzzing
We have to identify input vectors that may not be properly sanitized in GET and POST parameters. For this, we may fuzz parameters using the following payload
${{<%[%'"}}%\Identify Template Engine
Once you have detected the template injection, the next step is to identify the template engine.
By manually testing different language-specific payloads and study how they are interpreted by the target, we may identify the template engine.
a{*comment*}b
Smarty
#{ 2*3 }
Pug, Spring
*{ 2*3 }
Spring
${"z".join("ab")}
Mako, ???
{{ '7'*7 }}
Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ???
{{:2*3}}
JsRender
{% debug %}
Django
@(7*7)'
Razor (.NET)
Simply submitting invalid syntax is often enough because the resulting error message will tell you exactly what the template engine is, and sometimes even which version.
Some possible payloads that may cause errors:
${}
{{}}
<%= %>
${7/0}
{{7/0}}
<%= 7/0 %>
${foobar}
{{foobar}}
<%= foobar %>
${7*7}
{{7*7}}
``
The following tree can be used to identify which template engine is used
Exploit
Once you have identified the engine, refers to the corresponding page to exploit it:
Resources
Last updated
Was this helpful?