SSTI (Server-Side Template Injection)
Last modified: 2024-04-13
Web
Automation
Tplmap is a program for Server-Side Template Injection and Code Injection.
./tplmap.py -u http://vulnerable.com/?name=test
Identify the Template Engine/Framework/Language
| Payload | Template Engine/Framework/Language |
|---|---|
a{*comment*}b |
Smarty |
#{ 2*3 } |
Pug, Spring |
*{ 2*3 } |
Spring |
${"z".join("ab")} |
Mako, ??? |
{{ '7'*7 }} |
Angular, Django, Flask, Go, Jinja2, Tornado, Twig, ??? |
{{:2*3}} |
JsRender |
{% debug %} |
Django |
<%= 7*7 %> |
ERB (Embedded Ruby) |
SSTI for Each Framework
Please see each article for details about SSTI.