Skip to content

Server Side Template Injection (SSTI)

Info

This note is still in development.

Overview

Template injection allows an attacker to include template code into an existing (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages

Reference(s):
- https://swisskyrepo.github.io/PayloadsAllTheThings/Server%20Side%20Template%20Injection/
- https://portal.offsec.com/courses/web-200/books-and-videos/modal/modules/server-side-template-injection-discovery-and-exploitation/server-side-template-injection-discovery-and-exploitation

Tools

  • tplmap

    # Installation
git clone https://github.com/epinna/tplmap
cd tplmap
pip install -r requirements.txt

# Usage
python ./tplmap.py -u '<url>'

  • SSTImap

    # Installation
git clone https://github.com/vladko312/SSTImap
cd SSTImap
pip install -r requirements.txt

# Usage
python ./sstimap.py -u '<url>'

Other

Pasted image 20231015202543.png
- Common Templating Engines

Discovery

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Exploitation