SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself.
This tool was developed to be used as an interactive penetration testing tool for SSTI detection and exploitation, which allows more advanced exploitation.
Sandbox break-out techniques came from:
This tool is capable of exploiting some code context escapes and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines.
Differences with Tplmap
Even though this software is based on Tplmap’s code, backwards compatibility is not provided.
- Interactive mode (
-i
) allowing for easier exploitation and detection - Base language eval()-like shell (
-x
) or single command (-X
) execution - Added new payload for Smarty without enabled
{php}{/php}
. Old payload is available asSmarty_unsecure
. - User-Agent can be randomly selected from a list of desktop browser agents using
-A
- SSL verification can now be enabled using
-V
- Short versions added to all arguments
- Some old command line arguments were changed, check
-h
for help - Code is changed to use newer python features
- Burp Suite extension temporarily removed, as Jython doesn’t support Python3
Server-Side Template Injection
This is an example of a simple website written in Python using Flask framework and Jinja2 template engine. It integrates user-supplied variable name
in an unsafe way, as it is concatenated to the template string before rendering.
<div class="highlight highlight-source-python notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="from flask import Flask, request, render_template_string import os app = Flask(__name__) @app.route("/page") def page(): name = request.args.get('name', 'World') # SSTI VULNERABILITY: template = f"Hello, {name}!
\n" \ "OS type: {{os}}" return render_template_string(template, os=os.name) if __name__ == "__main__": app.run(host=’0.0.0.0′, port=80)” dir=”auto”>
from flask import Flask, request, render_template_string
import osapp = Flask(__name__)
@app.route("/page")
def page():
name = request.args.get('name', 'World')
# SSTI VULNERABILITY:
template = f"Hello, {name}!<br>\n" \
"OS type: {{os}}"
return render_template_string(template, os=os.name)
if __name__ == "__main__":
app.run(host='0.0.0.0', port=80)