Open In App

Tplmap – Tool For Automatic Server Side Template Injection Exploitation

Last Updated : 27 Jan, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

Server-side template injection is a security flaw in which the hacker injects malicious input into a template to run commands on the server-side. We can use various automated tools to perform this vulnerability exploitation. Tplmap is an automated cyber security tool that can perform checking and exploitation of SSTI (Server-side template injection) vulnerability. Tplmap tool supports lots of template engines like PHP, Ruby, Python, Jinja2, and Tornado. We can gain the OS-SHELL after exploiting the vulnerability. This tool is developed in the Python Language and is also available on the GitHub platform.

Note: Make Sure You have Python Installed on your System, as this is a python-based tool. Click to check the Installation process: Python Installation Steps on Linux

Installation of Tplmap Tool on Kali Linux OS

Step 1: Use the following command to install the tool in your Kali Linux operating system.

git clone https://github.com/epinna/tplmap.git

Step 2: Now use the following command to move into the directory of the tool. You have to move in the directory in order to run the tool.

cd tplmap

Step 3: You are in the directory of the tplmap. Now you have to install a dependency of the tplmap using the following command.

sudo pip3 install -r requirements.txt

Step 4: All the dependencies have been installed in your Kali Linux operating system. Now use the following command to run the tool and check the help section.

python3 tplmap.py  --help

Working with Tplmap Tool on Kali Linux OS

Example 1: Basic Vulnerability Scan

python3 tplmap.py -u ‘http://www.target.com/page.php?id=1*’

In this example, we are checking for Server-Side Template Injection Vulnerabilities on the target domain.

The tool is testing for each type of plugin one by one.

We have got one of the vulnerabilities on Engine Jinja2.

Example 2: Exploiting the Vulnerability

python3 tplmap.py –os-shell -u ‘http://www.target.com/page.php?id=1*’

In this example, we will be trying to gain an os shell on the target domain.

The tool is scanning for vulnerabilities.

We have got the shell and we can run commands to get the information.


Like Article
Suggest improvement
Previous
SpoofThatMail - Check If Domain(s) Can Be Spoofed Based In DMARC Records
Next
Tulpar - Web Vulnerability Scanner Tool
Share your thoughts in the comments

Similar Reads

Commix - OS Command Injection and Exploitation Tool
Fuxploider - File Upload Vulnerability Scanner And Exploitation Tool
CMSeeK - CMS Detection and Exploitation Tool
CMSeeK - Open Source Content Management System Detection and Exploitation Tool
Ppmap - A Scanner or Exploitation Tool Written In GO
Dracnmap – Information Gathering and Network Exploitation Tool
Zeebsploit - Information gathering, Scanning, and Exploitation tool
FinalRecon - Automatic Web Reconnaissance Tool
W3brute - Automatic Web Application Brute Force Attack Tool
HOCig - Automatic HOC Information Gathering Tool in Linux

G
gauravgandal
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox