Web Application Analysissstitemplate-injectioncode-injectionpenetration-testingvulnerability-scannerexploitation

SSTImap

SSTImap is an automatic SSTI detection tool with an interactive interface that checks websites for Server-Side Template Injection vulnerabilities and exploits them to gain operating system access.

Description

SSTImap is a penetration testing software designed to detect and exploit Code Injection and Server-Side Template Injection (SSTI) vulnerabilities in websites. It operates in both predetermined and interactive modes, allowing testers to identify vulnerable injection points across query parameters, body data, headers, and cookies. Once a vulnerability is detected, SSTImap can provide interactive shells on the template engine, its base language, or even the underlying operating system.

Use cases include security assessments of web applications using template engines, where SSTI vulnerabilities could lead to remote code execution. Testers can crawl websites to discover forms and URLs, customize detection levels, and apply various techniques like rendered, error-based, boolean blind, and time-based blind testing. The tool supports proxy usage, custom user agents, and detailed logging for thorough analysis.

It features a modular design with configurable engines and payloads, making it suitable for both automated scans and manual exploitation during pentests.

How It Works

SSTImap sends requests with injection markers (default '*') to specified injection points (query, body, headers, cookies) and analyzes responses for SSTI indicators using techniques like rendered output, error-based, boolean blind, and time-based blind detection across multiple escaping levels (1-5). It supports template engines via backend modules and escalates confirmed vulnerabilities to interactive shells using template code injection, base language evaluation, or OS command execution. Crawling discovers additional targets, forms are parsed and tested, with customizable request methods, data types, delays, and proxies.

Installation

bash
sudo apt install sstimap

Flags

-h, --helpshow this help message and exit
-V, --versionshow program's version number and exit
--module MODULEProvide information about the module ('list' to show all modules)
--config CONFIGUse custom config file or directory
--no-colorDisable color in output
-u, --url URLTarget URL (e.g. 'https://example.com/?name=test')
-i, --interactiveRun SSTImap in interactive mode
--load-urls LOAD_URLSFile or directory to load URLs from (use '-' for STDIN)
--load-forms LOAD_FORMSFile or directory to load forms from (use '-' for STDIN)
-M, --marker MARKERUse string as injection marker (default '*')
-P, --injection-points INJECTION_POINTSInjection points to test without markers: Q(uery) B(ody) H(eaders) C(ookies). Default: QBHC
-d, --data DATARequest body data param to send (e.g. 'param=value') [Stackable]
--data-type DATA_TYPERequest body data type (default 'auto')
-c, --crawl CRAWL_DEPTHDepth to crawl (default/0: don't crawl)
-f, --formsScan page(s) for forms
--empty-formsTreat pages without params as GET forms
-l, --level LEVELLevel of escaping to perform (1-5, Default: 1)
-e, --engine ENGINECheck only this backend template engine
-t, --tpl-shellPrompt for an interactive shell on the template engine
-s, --os-shellPrompt for an interactive operating system shell

Examples

Display the help message and usage information
sstimap -h
Scan a single target URL for SSTI vulnerabilities
sstimap -u 'https://example.com/?name=test'
Run SSTImap in interactive mode
sstimap -i
Load URLs from a file or directory for scanning
sstimap --load-urls urls.txt
Crawl the target website to depth 2 and scan for SSTI
sstimap -u 'https://example.com' -c 2
Scan the target page(s) for forms and test for SSTI
sstimap -u 'https://example.com' -f
Attempt to get an interactive shell on the template engine after detection
sstimap -u 'https://example.com' -t
Attempt to get an interactive operating system shell
sstimap -u 'https://example.com' -s
Updated 2026-04-16kali.org ↗