loading
loading
Vulnerabilities
Server-side template injection and code injection detection and exploitation tool.
overview
tplmap finds and exploits server-side template injection, the flaw where user input reaches a template engine and gets evaluated instead of printed. Point it at a URL and it injects probe payloads, fingerprints the engine rendering them, and confirms whether the input is executed. SSTI often leads straight to remote code execution, so a confirmed finding ranks among the highest-impact results a web test produces.
It covers a wide set of engines and two detection strategies. The rendered and time-based blind techniques catch injections whether or not output is reflected, and you control the back-end engine, the escape level, and the injection point through cookies, headers, POST data, or the URL. Once a context is confirmed, tplmap runs operating-system commands and uploads files, turning detection into demonstrable exploitation.
On Trickest, tplmap is a Vulnerabilities-category node that takes a target URL and writes a file and a folder of results. Place it after a crawler and prober have produced live, parameterized endpoints, so it tests only URLs that take input.
source github.com/epinna/tplmap
use cases
Feed parameterized URLs to tplmap so it probes each input, fingerprints the rendering engine, and confirms whether user data is evaluated as template code rather than printed.
Use the time-based blind technique to flag injections that never reflect output, so a vulnerable but silent endpoint still surfaces from response timing alone.
Once a context is confirmed, run an OS command with --os-cmd or upload a file to prove the finding leads to execution, not only to a rendered expression.
Inject through cookies, headers, POST data, or the URL so endpoints that take input outside the query string are still covered.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | Target URL to test. |
| post-data | STRING | --data | Data sent via POST, as a query string (param1=value1¶m2=value2). |
| technique | STRING | -t | Techniques: R(endered), T(ime-based blind). Default RT. |
| header | STRING | -H | Extra headers, for example Header1: Value1. |
| cookie | STRING | -c | Cookies, for example Field1=Value1. |
| backend-engine | STRING | -e | Force the back-end template engine to a specific value. |
| os-cmd-to-execte | STRING | --os-cmd | Execute an operating-system command through a confirmed injection. |
| level-code-context | STRING | --level | Level of code-context escape to perform (1 to 5, default 1). |
Showing key inputs. tplmap exposes 16 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | --url | Target URL. |
| proxy | STRING | --proxy | Use a proxy to connect to the target URL. |
| cookie | STRING | -c | Cookies (for example Field1=Value1). |
| header | STRING | -H | Extra headers (for example Header1: Value1). |
| tpl-code | STRING | --tpl-code | Inject code in the template engine. |
| post-data | STRING | --data | Data string to send via POST, as a query string: param1=value1¶m2=value2. |
| technique | STRING | -t | Techniques R(endered), T(ime-based blind). Default RT. |
| user-agent | STRING | -A | HTTP User-Agent header value. |
| force-level | BOOLEAN | --force-level | Force a LEVEL and CLEVEL to test. |
| http-method | STRING | -X | Force usage of a given HTTP method (for example PUT). |
| upload-file | FILE | --upload | Upload a file to the target. |
| injection-tag | STRING | --injection-tag | Use a string as the injection tag (default *). |
| backend-engine | STRING | -e | Force the back-end template engine to this value. |
| os-cmd-to-execte | STRING | --os-cmd | Execute an operating-system command. |
| level-code-context | STRING | --level | Level of code-context escape to perform (1 to 5, default 1). |
| force-overwrite-uploaded-files | BOOLEAN | --force-overwrite | Force file overwrite when uploading. |
example
# detect SSTI on a query parameter, then run one OS command if confirmedtplmap --url 'https://example.com/greeting?name=test' --os-cmd 'id'[+] Tplmap 0.5[+] Testing if GET parameter 'name' is injectable[+] Jinja2 plugin has confirmed injection with tag '{{*}}'[+] Tplmap identified the following injection point: GET parameter: name Engine: Jinja2 Injection: {{*}} Context: text Capabilities: Shell command execution: ok, Code evaluation: ok[+] Run commands on the operating system.guidance
Reach for tplmap when an endpoint reflects or processes user input through a template and you suspect SSTI. It is specialized for template and code injection, so for SQL injection use sqlmap and for broad templated checks use nuclei. Run tplmap on parameterized URLs a crawler has already found.
Detects and exploits SQL injection. Same exploitation depth, different vulnerability class.
Template-based scanner with some SSTI checks among thousands. tplmap goes far deeper on confirming and exploiting one class.
Crawls to find the parameterized endpoints tplmap then tests. Run it upstream.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A target feeds katana, which crawls for parameterized endpoints and passes them to tplmap, which tests for template injection and writes the findings.
Facts on this page come from the live Trickest tool library.