{flino|dev}
Back to blog
Oct 25, 2025
2 min read

Server-side Template Injection

Exploit various templating engines that lead to SSTI vulnerability.

Web Application Pentesting > Injection Attacks > Server-side Template Injection

Diamond Model

Task 1

Introduction

  1. After 3 minutes, visit http://ssti.thm to access the machine.
No answer needed

Task 2

SSTI Overview

  1. Click me to proceed to the next task.
No answer needed

Task 3

Template Engines

  1. Click me to proceed to the next task.
No answer needed

Task 4

PHP - Smarty

  1. What is the content of the hidden text file in the server directory?
THM{0739eea78f5c7f4b1690737c6258e38b}

Task 5

NodeJS - Pug

  1. What is the content of the hidden text file in the server directory?
THM{1f8c3b32ad3217e84c145398bae00876}

Task 6

Python - Jinja2

  1. What is the content of the hidden text file in the server directory?
THM{ecc43642dd6934d37c69598174e6e126}

Task 7

Automating the Exploitation

  1. Click me to proceed to the next task.
No answer needed

Task 8

Extra-Mile Challenge

  1. What is the content of the hidden text file in the server directory?
THM{w0rK1Ng_sST1}

Task 9

Mitigation

  1. Click me to proceed to the next task.
No answer needed

Task 10

Conclusion

  1. I can now exploit SSTI vulnerabilities!
I can now exploit SSTI vulnerabilities!
Anterior
JWT Security
Siguiente
SQL Fundamentals