SSTImap v1.2 releases: About Automatic SSTI detection tool

by do son · Published October 20, 2022 · Updated January 7, 2024

SSTImap

SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself.

This tool was developed to be used as an interactive penetration testing tool for SSTI detection and exploitation, which allows more advanced exploitation.

Sandbox break-out techniques came from:

James Kett’s Server-Side Template Injection: RCE For The Modern Web App
Other public research [1] [2]
Contributions to Tplmap [3] [4].

This tool is capable of exploiting some code context escapes and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java, and generic unsandboxed template engines.

Differences with Tplmap

Even though this software is based on Tplmap’s code, backward compatibility is not provided.

Interactive mode (-i) allowing for easier exploitation and detection
Base language eval()-like shell (-x) or single command (-X) execution
Added new payload for Smarty without enabled {php}{/php}. The old payload is available as Smarty_unsecure.
User-Agent can be randomly selected from a list of desktop browser agents using -A
SSL verification can now be enabled using -V
Short versions added to all arguments
Some old command line arguments were changed, check -h for help
Code is changed to use newer python features
Burp Suite extension temporarily removed, as Jython doesn’t support Python3

Predetermined mode

SSTImap in predetermined mode is very similar to Tplmap. It is capable of detecting and exploiting SSTI vulnerabilities in multiple different templates.

After the exploitation, SSTImap can provide access to code evaluation, OS command execution, and file system manipulations.

Interactive mode

In interactive mode, commands are used to interact with SSTImap. To enter interactive mode, you can use -i argument. All other arguments, except for the ones regarding exploitation payloads, will be used as initial values for settings.

Some commands are used to alter settings between test runs. To run a test, the target URL must be supplied via the initial -u argument or url command. After that, you can use run command to check the URL for SSTI.

If SSTI was found, commands can be used to start the exploitation. You can get the same exploitation capabilities, as in the predetermined mode, but you can use Crtl-C to abort them without stopping a program.

By the way, test results are valid until the target url is changed, so you can easily switch between exploitation methods without running a detection test every time.

To get a full list of interactive commands, use command help in interactive mode.

Supported template engines

SSTImap supports multiple template engines and eval()-like injections.

New payloads are welcome in PRs.

Engine	RCE	Blind	Code evaluation	File read	File write
Mako	✓	✓	Python	✓	✓
Jinja2	✓	✓	Python	✓	✓
Python (code eval)	✓	✓	Python	✓	✓
Tornado	✓	✓	Python	✓	✓
Nunjucks	✓	✓	JavaScript	✓	✓
Pug	✓	✓	JavaScript	✓	✓
doT	✓	✓	JavaScript	✓	✓
Marko	✓	✓	JavaScript	✓	✓
JavaScript (code eval)	✓	✓	JavaScript	✓	✓
Dust (<= dustjs-helpers@1.5.0)	✓	✓	JavaScript	✓	✓
EJS	✓	✓	JavaScript	✓	✓
Ruby (code eval)	✓	✓	Ruby	✓	✓
Slim	✓	✓	Ruby	✓	✓
ERB	✓	✓	Ruby	✓	✓
Smarty (unsecured)	✓	✓	PHP	✓	✓
Smarty (secured)	✓	✓	PHP	✓	✓
PHP (code eval)	✓	✓	PHP	✓	✓
Twig (<=1.19)	✓	✓	PHP	✓	✓
Freemarker	✓	✓	Java	✓	✓
Velocity	✓	✓	Java	✓	✓
Twig (>1.19)	×	×	×	×	×
Dust (> dustjs-helpers@1.5.0)	×	×	×	×	×