Shulou(Shulou.com)06/01 Report--

This article shows you how to obtain the remote Shell of the server through SSTI vulnerabilities. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

The template engine (in this case, the template engine for Web development) is generated to separate the user interface from the business data (content). It can generate documents in a specific format, and the template engine for the website will generate a standard HTML document. The static template file replaces the variable / placeholder with the actual value in the HTML page at run time. Currently popular and widely used template engine is Smarty,Twig,Jinja2,FreeMarker,Velocity.

The server-side template injection (SSTI) vulnerability would allow an attacker to inject template instructions as user input, resulting in the execution of arbitrary code. If you look at the source code of the web page and see a code snippet similar to the following, you can basically conclude that the application may be using some kind of template engine to render the data.

Var greet = 'Hello $name'

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.