SSTI (Server-Side Template Injection)
Templating engines dynamically render static files using context and user requests. For instance, headers change based on user login status. These engines use delimiters to define template blocks, common in Python and Jinja. Jinja uses a unique syntax but operates on Python principles.
Template injections can lead to system-level code execution or reveal vulnerabilities like Server-Side Template Injection (SSTI). Exploring Python's inheritance and class attributes, such as __class__
and __mro__
, helps understand these vulnerabilities. Payloads manipulating these attributes can read sensitive files or execute code, especially in different Python versions.
- Discovery and Analysis
Once we see in Burp request something like template, or we know we are inside any template engine, we should try injecting {{7*7}}
, if the result (49
) is reflected in a response, then, the target is vulnerable.
Then, we will replace "{{7*7}}
" in the template with “{{ ’’.__class__ }}
” to determine if we can replicate accessing the class of an empty string as we did in the Python console.
If the response is something like "ilegal template
", we will look at the code, searching functions like get_email_template, render_template or if safe_render and ".__
" in template: throw("Illegal template
").
Locate in the code which template is loaded and where is triggered, then use exploit for the specific template:
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
Last updated