Working with Tplmap Tool on Kali Linux OS

Example 1: Basic Vulnerability Scan

python3 tplmap.py -u ‘http://www.target.com/page.php?id=1*’

In this example, we are checking for Server-Side Template Injection Vulnerabilities on the target domain.

The tool is testing for each type of plugin one by one.

We have got one of the vulnerabilities on Engine Jinja2.

Example 2: Exploiting the Vulnerability

python3 tplmap.py –os-shell -u ‘http://www.target.com/page.php?id=1*’

In this example, we will be trying to gain an os shell on the target domain.

The tool is scanning for vulnerabilities.

We have got the shell and we can run commands to get the information.

Server-side template injection is a security flaw in which the hacker injects malicious input into a template to run commands on the server-side. We can use various automated tools to perform this vulnerability exploitation. Tplmap is an automated cyber security tool that can perform checking and exploitation of SSTI (Server-side template injection) vulnerability. Tplmap tool supports lots of template engines like PHP, Ruby, Python, Jinja2, and Tornado. We can gain the OS-SHELL after exploiting the vulnerability. This tool is developed in the Python Language and is also available on the GitHub platform.

Note: Make Sure You have Python Installed on your System, as this is a python-based tool. Click to check the Installation process: Python Installation Steps on Linux