# Server-Side Template Injection

Server-Side Template Injection (SSTI) is a vulnerability that occurs when an attacker is able to inject malicious code into a server-side template. This type of attack targets web applications that utilize server-side templating engines, such as PHP, Ruby, or Python frameworks. By exploiting SSTI, an attacker can manipulate the server-side templates to execute arbitrary code on the server, potentially leading to unauthorized access, data leakage, or even remote code execution.

<figure><img src="https://1676354979-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FRLSjRQh9klei94RhxhvW%2Fuploads%2FoBNpTfPuEkFIUE69W2LO%2Fimage.png?alt=media&#x26;token=1f343555-5d99-437d-adad-6b635a788853" alt=""><figcaption><p>Source: <a href="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection">https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection</a></p></figcaption></figure>

### Payloads

```bash
${{<%[%'"}}%\.
{{7*7}}
${7*7}
<%= 7*7 %>
${{7*7}}
#{7*7}
*{7*7}
```

### References

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection>" %}