Server Side Template Injection (SSTI)

5 min readMay 13, 2020

A few weeks ago a friend send me a url and asked me to hack the server and get the passwd file. The first thought that i had was that the server might be vulnerable to local file inclusion. So i decided to take a look at the url and found it was just a simple webpage that printed Hello guest

I’ll hide the IP address of the web server for confidentiality purposes

Looking at the source code nothing meaningful came up.

I suggest that as a penetration tester you should always take a look at the source code since sometimes developers leave comments behind that will give you really important information on the structure of the server i.e the type of CMS (content management system like wordpress,joomla,cmess etc) its running,the exact version of webserver installed example apache or nginx and the languages installed

Normally the files i look for are the most common files that can be found in any website example include robots.txt

But got nothing so my first step i decided to do a nmap scan on the server to fingerprint the exact server running because sometimes you might get lucky and find a one day exploit that has already been publicly released

Doing a nmap scan

Some really interesting information came up. The web server is Gunicorn version 20.0.0. Gunicorn ‘Green Unicorn’ is a Python WSGI HTTP Server for UNIX. It’s a pre-fork worker model compatible with various web frameworks,simple and lightweight server . I decided to do a searchsploit to find if the server was vulnerable

Got nothing interesting from exploit database. So i opted on manual enumeration

First i decided to do directory bruteforcing using gobuster but it came back empty. So i decided to fuzz the url parameters using wfuzz maybe something interesting would show up

And i found an outlier payload the url was passing a parameter name

I decided to replay the request using my brower and see what happens and found that the value we pass to the parameter it just appends in the web page

So we’ve found a way of passing values to the webserver i tried a local file inclusion vulnerability by trying to read a common file found in any linux system (“/etc/passwd”)

It didn’t work

Next i thought that maybe there were some filters in place and i tried bypass using Payloadallthethings obfuscated payloads nothing worked

As i always say google is the best friend for any penetration tester whether you are advanced or not. So i decided to google on common vulnerabilities that python web applications have and found the following url that really had useful information

The first vulnerability i decided to test was server side template injection also known as SSTI

And the easier way of testing Server Side Template injection is using a simple payload

Basic injection

${7*7}
${{7*7}} #####THIS ONE WORKED #########
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()

If it does arithmetic computation on the payload then the website is vulnerable to Server Side Template injection

And voila we have found the vulnerability

With Server Side Template Injection you directly attack web servers’ internals and leverage the attack more complex such as running remote code execution and complete server compromise. I tried many payloads but got an internal server error

I decided to automate the process by using a tool called tplmap which is available on github