0x1 Posted September 5, 2016 Share Posted September 5, 2016 Automatic Server Side Template Injection Exploitation This is the hidden content, please Sign In or Sign Up Tplmap (short for Template Mapper) is a tool that automate the process of detecting and exploiting Server-Side Template Injection vulnerabilities (SSTI). This assists SSTI exploitation to compromise the application and achieve remote command execution on the operating system. The tool can be used by security researchers and penetration testers, to detect and exploit vulnerabilities and study the template injection vulnerability class. The plugin architecture makes easy to extend the tool and support new template engines and sandbox break-out techniques. Part of the implemented techniques came from public research papers as James Kett’s Server-Side Template Injection: RCE For The Modern Web App and other works while others have been discovered to extend this tool exploitation capabilities. Tplmap is able to detect and achieve arbitrary command execution in several scenarios as injections in code context and blind injections. The tool also detects code injections in several languages (e.g. Server-Side JavaScript Injection) exploiting eval()-like injections and generic template engines accepting arbitrary code. This is the hidden content, please Sign In or Sign Up Download & source : [HIDE-THANKS] This is the hidden content, please Sign In or Sign Up [/HIDE-THANKS] Run on linux cmd : [HIDE-THANKS] This is the hidden content, please Sign In or Sign Up [/HIDE-THANKS] Link to comment Share on other sites More sharing options...
Recommended Posts