SSTI (Server-Side Template Injection)

Last updated 10 days ago

Was this helpful?

Practice

Tools

Tplmap is a Server-Side Template Injection and Code Injection detection and exploitation tool.

./tplmap.py -u 'http://www.target.com/page?name=John'

Here is an handy one-liner to automate SSTI scans on multiple URLs using tools like gau, hakrawler, waybackurls, katana, uro, qsreplace, httpx, Gxss, Dalfox.

It may be usefull for bug bounty hunting

# tplmap from targets url file
for url in $(cat targets.txt); do python3 tplmap.py -u $url; print $url; done

Fuzzing

We have to identify input vectors that may not be properly sanitized in GET and POST parameters. For this, we may fuzz parameters using the following payload

${{<%[%'"}}%\

If an exception is raised, this indicates that the injected template syntax is potentially being interpreted by the server in some way.

Identify Template Engine

Once you have detected the template injection, the next step is to identify the template engine.

By manually testing different language-specific payloads and study how they are interpreted by the target, we may identify the template engine.

Payload

Template Engine/Framework/Language

a{*comment*}b

Smarty

#{ 2*3 }

Pug, Spring

*{ 2*3 }

Spring

${"z".join("ab")}

Mako, ???

{{ '7'*7 }}

Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ???

{{:2*3}}

JsRender

{% debug %}

Django

@(7*7)'

Razor (.NET)

Simply submitting invalid syntax is often enough because the resulting error message will tell you exactly what the template engine is, and sometimes even which version.

Some possible payloads that may cause errors:

${}

{{}}

<%= %>

${7/0}

{{7/0}}

<%= 7/0 %>

${foobar}

{{foobar}}

<%= foobar %>

${7*7}

{{7*7}}

Practice

Tools

Tplmap is a Server-Side Template Injection and Code Injection detection and exploitation tool.

./tplmap.py -u 'http://www.target.com/page?name=John'

Here is an handy one-liner to automate SSTI scans on multiple URLs using tools like gau, hakrawler, waybackurls, katana, uro, qsreplace, httpx, Gxss, Dalfox.

It may be usefull for bug bounty hunting

# tplmap from targets url file
for url in $(cat targets.txt); do python3 tplmap.py -u $url; print $url; done

Fuzzing

We have to identify input vectors that may not be properly sanitized in GET and POST parameters. For this, we may fuzz parameters using the following payload

${{<%[%'"}}%\

If an exception is raised, this indicates that the injected template syntax is potentially being interpreted by the server in some way.

Identify Template Engine

Once you have detected the template injection, the next step is to identify the template engine.

By manually testing different language-specific payloads and study how they are interpreted by the target, we may identify the template engine.

Payload

Template Engine/Framework/Language

a{*comment*}b

Smarty

#{ 2*3 }

Pug, Spring

*{ 2*3 }

Spring

${"z".join("ab")}

Mako, ???

{{ '7'*7 }}

Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ???

{{:2*3}}

JsRender

{% debug %}

Django

@(7*7)'

Razor (.NET)

Simply submitting invalid syntax is often enough because the resulting error message will tell you exactly what the template engine is, and sometimes even which version.

Some possible payloads that may cause errors:

${}

{{}}

<%= %>

${7/0}

{{7/0}}

<%= 7/0 %>

${foobar}

{{foobar}}

<%= foobar %>

${7*7}

{{7*7}}

SSTI (Server-Side Template Injection)

SSTI (Server-Side Template Injection)

Theory

Practice

Tools

Fuzzing

Identify Template Engine

Exploit

Resources

Theory

Practice

Tools

Fuzzing

Identify Template Engine

Exploit

Resources