SSTI (Server-Side Template Injection)

Theory

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

Practice

Tools

Tplmap is a Server-Side Template Injection and Code Injection detection and exploitation tool.

./tplmap.py -u 'http://www.target.com/page?name=John'

Fuzzing

We have to identify input vectors that may not be properly sanitized in GET and POST parameters. For this, we may fuzz parameters using the following payload

${{<%[%'"}}%\

If an exception is raised, this indicates that the injected template syntax is potentially being interpreted by the server in some way.

Identify Template Engine

Once you have detected the template injection, the next step is to identify the template engine.

By manually testing different language-specific payloads and study how they are interpreted by the target, we may identify the template engine.

Payload Template Engine/Framework/Language

Payload	Template Engine/Framework/Language
`a{comment}b`	Smarty
`#{ 2*3 }`	Pug, Spring
`{ 23 }`	Spring
`${"z".join("ab")}`	Mako, ???
`{{ '7'*7 }}`	Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ???
`{{:2*3}}`	JsRender
`{% debug %}`	Django

a{*comment*}b

Smarty

#{ 2*3 }

Pug, Spring

*{ 2*3 }

Spring

${"z".join("ab")}

Mako, ???

{{ '7'*7 }}

Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ???

{{:2*3}}

JsRender

{% debug %}

Django

Simply submitting invalid syntax is often enough because the resulting error message will tell you exactly what the template engine is, and sometimes even which version.

Some possible payloads that may cause errors:

${}

{{}}

<%= %>

${7/0}

{{7/0}}

<%= 7/0 %>

${foobar}

{{foobar}}

<%= foobar %>

${7*7}

{{7*7}}