Changelog tplmap v0.2:
* Exploitation of Dust.js template engine.
* Fix command execution payloads for Velocity template engine as suggested by @henshin.
* Exploitation of generic code injections for Python, JavaScript and PHP applications.
* Improve how to select the injection points via the command line.
tplmap v0.2
Tplmap (short for Template Mapper) is a tool that automate the process of detecting and exploiting Server-Side Template Injection vulnerabilities (SSTI).
+ This can be used by developers, penetration testers, and security researchers to detect and exploit vulnerabilities related to the template injection attacks.
+ The technique can be used to compromise web servers’ internals and often obtain Remote Code Execution (RCE), turning every vulnerable application into a potential pivot point.
Supported template engines:
Usage:
pip install yaml git clone https://github.com/epinna/tplmap && cd tplmap ./tplmap.py -h update: git pull origin master
Download: v0.2.zip | v0.2.tar.gz
Source: https://github.com/epinna | Our Post Before