# Server Side Template Injection ![[Bike Write-up#^lipter]] This [Hacktricks](https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/index.html) site provides a nice breakdown of this attack, along with payloads examples. Its [detection](https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/index.html#detection) provides means to verify which template engine is used and if it is vulnerable. It boils down to the image included below. Test strings: ``` D{{="O"}}T P#{XXXXXXX}ug Thym[[${session}]]eleaf Dus{XXXXXXX}tjs Sm{"ar"}ty La{var $X="tt"}{$X}e #set($X="Velo")#set($Y="city")$X$Y$ Underscore OR<%"XXXXXXX"%>Ejs E<%="j"_%>s This {{printf "is "}}GO <> Haml#{"OR"}Slim Erb<%="OR Erubi OR"%>Erubis Must{{Context.lookup}}ache Handlebars OR Hogan{{XXXXXXX}} OR Pystache {{#if 0 includeZero=true}}Handlebars{{/if}} Mako${" OR Chameleon OR "}Cheetah <?python ?> <%doc</%doc> Freemarker${" OR "}Groovy ${NUMBER?lower_abc} ${((char)NUMBER).toString()} Liquid AND Blade OR Twig {{" AND Jinja2 OR Bottle OR Tornado OR Django AND "}} Nunjucks OR Twig OR Vue {{|reverse}} {{|wordcount}} {{-Comment-}} {{ "<h1>Django OR Jinja2</h1>"|striptags }} Djan{{ Jinja2.Django }}go Torn{% comment %}ado ``` ![[TemplateEngineIdentificationChart.png]] ## Hack The Box Machines - [[Bike Write-up]]