Templates Injections - rabakuku/OSCP-PWK GitHub Wiki

From a black box testing perspective, the page reflects the value similarly to a XSS vulnerability, but also computes basic operation at runtime disclosing its SSTI nature.

$ curl -g 'http://www.target.com/page?name=John'

Hello John!

$ curl -g 'http://www.target.com/page?name={{7*7}}'

Hello 49!

Tplmap

Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.

https://github.com/epinna/tplmap

PayloadsAllTheThings/Server Side Template Injection/

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#basic-injection

Fuzz Server Side Template Injection with Burp Intruder

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Intruder/ssti.fuzz