logo
jacobh.io
Server Side Template Injection (SSTI)
Initializing search
    Jacob-Ham/jacobhio
    • $ whoami
    • Setup
    • AWS
    • Active Directory
    • Azure
    • Cheatsheets
    • Linux
    • Web Application
    • Writeups
    Jacob-Ham/jacobhio
    • $ whoami
    • Setup
      • Authenticate
      • Compute Services & Lateral Movement
      • Credential & Identity Attacks
      • Discovery & Reconnaissance
      • Phishing via SSO Device Codes
      • Secrets & Notification Services
      • Serverless Services Exploitation
      • Storage Enumeration & Exploitation
      • Tools
      • Under Construction
        • DNS Dump
        • Domain User Enumeration
        • Domain Wide Enumeration
        • Enumerating Security Controls
        • Group Membership
        • Living Off the Land Enumeration
        • Null Session
        • Password Policy Enumeration
        • SMB Signing
        • Service Enumeration
        • ASREPRoast
        • IPv6 Attacks
        • LLMNR Poisoning
        • Password Stuff
        • Pre Boot Execution Environment PXE
        • Pre Windows 2000 Computers
        • PrintNightmare
        • Relay Attacks
        • Word Doc Macro
        • ZeroLogon
        • Authentication Coercion
        • Credential Dumping
        • Credential Hunting
        • GPP Password
        • Hash Cracking
        • Kerberoasting
        • NTLM Hash Theft
        • Unconstrained Delegation
        • Alternate Service Name
        • Constrained Delegation
        • Domain ACLs
        • Execution Methods
        • Forest & Domain Trusts
        • Group Policy Abuse
        • Kerberos Double Hop
        • MSSQL Abuse
        • Overpass The Hash
        • Pass The Hash
        • Pass The Ticket
        • Pivoting
        • Resource Based Constrained Delegation
        • Service for User to Self
          • DCShadow
          • DCSync
          • Diamond Ticket
          • Golden Ticket
          • NoPac (SamAccountName Spoofing)
          • Silver Ticket
            • ESC1
            • Enumerate ADCS
            • Enumerate SCCM
            • SCCM Site Takeover I
            • SCCM Site Takeover II
          • Local Administrator Password Solution
          • Token Privileges
          • UAC Bypasses
          • Unquoted Service Path
          • Weak Service Binary Permissions
          • Weak Service Permissions
        • Powershell Downgrade
        • Disable Restricted Admin Mode
        • Enable plaintext wdigest
        • Host Persistence
        • MachineAccountQuota
        • Internal Checklist
        • () active directory enumeration
        • () cisco phones
        • () default credentials
        • () forest domain trusts
        • () laps abuse
        • () ldap passback
        • () ldap techniques
        • () living off the land
        • () office macro
        • () password attacks
        • () password spraying
        • () powershell downgrade
        • () printnightmare
        • () samr protocol abuse
        • () service enumeration
        • () token impersonation
        • () weak service permissions
        • () windows library files
        • () windows priv esc
        • () windows privileges
        • Adcs vulnerabilities
        • Alternate service name
        • Asreproast
        • Authentication coercion
        • Bloodhound
        • Credential dumping
        • Data Pillaging & Credential Hunting
        • Dcsync
        • Diamond ticket
        • Dns dump
        • Domain acls
        • Execution Methods
        • Golden ticket
        • Gpp password
        • Group membership
        • Group policy abuse
        • Hash cracking
        • Ipv6 attacks
        • Kerberoasting
        • Kerberos delegation
        • Llmnr poisoning
        • mDNS
        • Machine account quota
        • Mssql abuse
        • Nfs
        • Ntlm hash theft
        • Null session
        • Overpass the hash
        • Pass the Hash
        • Pass the ticket
        • Password Attacks
        • Password policy enumeration
        • Pivoting
        • Powerview
        • Pre windows 2000 computers
        • Pxe boot attacks
        • Relay attacks
        • Sccm site takeover
        • Security controls enumeration
        • Service for user to self
        • Shadow credentials
        • Silver ticket
        • Smb signing
        • Static ip
        • Uac bypasses
        • Unquoted service path
        • vmware vCenter vSphere
        • Zerologon
      • Index
      • Administrative units
      • Azure keyvault
      • Azure networking
      • Azure Storage
      • Azure virtual machines
      • Azure webapps
      • Container apps
      • Data pillaging
      • Database
      • External recon
      • Group abuse
      • Managed identity and apps
      • Mfa
      • Misc commands
      • On prem to cloud
      • Password spraying
      • Phishing
      • Resource enumeration
      • Role abuse
      • Service principals
      • Storage
      • Tenant wide enumeration
      • User enumeration
        • Get tokens
        • priv esc FOCI tokens
        • Tokens info
        • Using tokens
      • Compiling Binaries
      • Default Credentials
      • Misc
      • Network Recon
      • Passive Network Recon
      • PowerView
      • SQLMap
      • WebApp
        • Salesforce 1
        • Salesforce 2
        • Salesforce 3
        • Salesforce 4
        • Attacking
        • Bypassing MAC Filtering
        • Cracking Passphrases
        • Decrypting Captures
        • Driver Installation Alfa A1US036ACS
        • Finding Hidden Networks
        • Interface Modes
        • Monitor Mode
        • Reconnaissance
        • ACLs
        • Capabilities
        • Credential Hunting
        • Environment Hunting
        • General Information
        • Groups
        • Low Level Exploits
        • NFS, Samba, Network Shares
        • Permissions
        • Restricted Shells
        • Service Based Escalation
        • Shared Libraries & Interpreter Hijacking
        • Writable Directories
      • Under Construction
      • Insecure File Uploads
      • Verb Tampering
      • Web Application Firewall
        • Getting Started
        • API
        • Mass Assignment
        • Getting Started
        • Broken Function Level Access (BLFA)
        • Broken Object Level Access (BOLA)
        • Insecure Direct Object Reference (IDOR)
        • Getting Started
        • Brute Forcing Authentication
        • Json Web Tokens (JWTs)
        • Multi Factor Authentication
        • Rate Limiting
        • Session Tokens
        • Directory Fuzzing
        • Google Dorks
        • Parameter Fuzzing
        • Directory Traversal
        • Filter Bypasses
        • Local File Inclusion (LFI)
        • Remote File Inclusion
        • Command Injection
        • Cross Site Scripting (XSS)
        • External Entity Injection (XXE)
        • NoSQL Injection
        • SQL Injection
        • Server Side Template Injection (SSTI)
        • Cross Site Request Forgery (CSRF)
        • Server Side Request Forgery
      • Index
        • OverCertified

    Server Side Template Injection (SSTI)

    https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection 1. First try to generate an error to leak the templating engine 2. Use hacktricks payloads for execution

    Made with Material for MkDocs