5.9 KiB
Server Side Template Injection
Template injection allows an attacker to include template code into an existing (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages
Summary
Tools
-
TInjA - An effiecient SSTI + CSTI scanner which utilizes novel polyglots
tinja url -u "http://example.com/?name=Kirlia" -H "Authentication: Bearer ey..." tinja url -u "http://example.com/" -d "username=Kirlia" -c "PHPSESSID=ABC123..."
-
Tplmap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link" python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
-
SSTImap - Automatic SSTI detection tool with interactive interface based on Tplmap
python3 ./sstimap.py -u 'https://example.com/page?name=John' -s python3 ./sstimap.py -u 'https://example.com/page?name=Vulnerable*&message=My_message' -l 5 -e jade python3 ./sstimap.py -i -A -m POST -l 5 -H 'Authorization: Basic bG9naW46c2VjcmV0X3Bhc3N3b3Jk'
Methodology
Detection
In most cases, this polyglot payload will trigger an error in presence of a SSTI vulnerability :
${{<%[%'"}}%\.
The Template Injection Table is an interactive table containing the most efficient template injection polyglots along with the expected responses of the 44 most important template engines.
References
- https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/
- Ruby ERB Template injection - TrustedSec
- Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)
- PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax
- VelocityServlet Expression Language injection
- Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore
- RCE in Hubspot with EL injection in HubL - @fyoorer
- Jinja2 template injection filter bypasses - @gehaxelt, @0daywork
- Gaining Shell using Server Side Template Injection (SSTI) - David Valles - Aug 22, 2018
- EXPLOITING SERVER SIDE TEMPLATE INJECTION WITH TPLMAP - BY: DIVINE SELORM TSA - 18 AUG 2018
- Server Side Template Injection – on the example of Pebble - MICHAŁ BENTKOWSKI | September 17, 2019
- Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020
- Expression Language injection - PortSwigger
- Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab
- Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019
- Handlebars template injection and RCE in a Shopify app
- Lab: Server-side template injection in an unknown language with a documented exploit
- Exploiting Less.js to Achieve RCE
- A Pentester's Guide to Server Side Template Injection (SSTI)
- Django Templates Server-Side Template Injection
- #HITB2022SIN #LAB Template Injection On Hardened Targets - Lucas 'BitK' Philippe
- Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Dec 4, 2022
- Leveraging the Spring Expression Language (SpEL) injection vulnerability ( a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021
- Expression Language Injection - OWASP