The injection point is in the POST parameter, but it cannot be detected

[sunset2131]

I'm not sure if it's my fault, but my manual test was successful. Is it because the tool didn't inject a simple payload for testing? For example, {{7*7}}

This is what I constructed using SSTImap:

python sstimap.py -u http://express.nyx/api/admin/availability -H 'Content-Type: application/json' -m 'POST' -d '{ "id":1,"url":"http://127.0.0.1:9000/username?name=*","token":"4493-3179-0912-0597" }' -l 5

.....
[*] Python_generic plugin is testing %}*{% code context escape with 624 variations
[*] Python_generic plugin is testing *}*{* code context escape with 6 variations
[*] Python_generic plugin is testing #}*{# code context escape with 6 variations
[-] Tested parameters appear to be not injectable.

I still have to say that the tool is very useful, thank you for your efforts

[vladko312]

Can you try again using -l 0 -p http://127.0.0.1:8080 -e Jinja2 to see the requests in BurpSuite?

[sunset2131]

Resquest in Linux:

Response in Linux:

Try parameters manually in the Windows：

use SSTImap in Windows：

SSTImap uses a proxy in Windows:

[vladko312]

You need to add --data-type json to process data as json. Should work with that.
Didn't notice this the first time, sorry.

I will probably add automatic body type detection later.

[sunset2131]

emmmm

[vladko312]

Can you show the full error message?

[sunset2131]

TemplateSyntaxError
jinja2.exceptions.TemplateSyntaxError: expected token 'end of print statement', got 'integer'

Traceback (most recent call last)
File \"/usr/local/lib/python3.11/dist-packages/flask/app.py\", line 1498, in __call__
    ) -> cabc.Iterable[bytes]:
        """The WSGI server calls the Flask application object as the
        WSGI application. This calls :meth:`wsgi_app`, which can be
        wrapped to apply middleware.
        """
        return self.wsgi_app(environ, start_response)                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File \"/usr/local/lib/python3.11/dist-packages/flask/app.py\", line 1476, in wsgi_app
            try:
                ctx.push()
                response = self.full_dispatch_request()
            except Exception as e:
                error = e
                response = self.handle_exception(e)                            ^^^^^^^^^^^^^^^^^^^^^^^^
            except:  # noqa: B001
                error = sys.exc_info()[1]
                raise
            return response(environ, start_response)
        finally:
File \"/usr/local/lib/python3.11/dist-packages/flask/app.py\", line 1473, in wsgi_app
        ctx = self.request_context(environ)
        error: BaseException | None = None
        try:
            try:
                ctx.push()
                response = self.full_dispatch_request()                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
            except Exception as e:
                error = e
                response = self.handle_exception(e)
            except:  # noqa: B001
                error = sys.exc_info()[1]
File \"/usr/local/lib/python3.11/dist-packages/flask/app.py\", line 882, in full_dispatch_request
            request_started.send(self, _async_wrapper=self.ensure_sync)
            rv = self.preprocess_request()
            if rv is None:
                rv = self.dispatch_request()
        except Exception as e:
            rv = self.handle_user_exception(e)                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        return self.finalize_request(rv)
 
    def finalize_request(
        self,
        rv: ft.ResponseReturnValue | HTTPException,
File \"/usr/local/lib/python3.11/dist-packages/flask/app.py\", line 880, in full_dispatch_request
 
        try:
            request_started.send(self, _async_wrapper=self.ensure_sync)
            rv = self.preprocess_request()
            if rv is None:
                rv = self.dispatch_request()                      ^^^^^^^^^^^^^^^^^^^^^^^
        except Exception as e:
            rv = self.handle_user_exception(e)
        return self.finalize_request(rv)
 
    def finalize_request(
File \"/usr/local/lib/python3.11/dist-packages/flask/app.py\", line 865, in dispatch_request
            and req.method == "OPTIONS"
        ):
            return self.make_default_options_response()
        # otherwise dispatch to the handler for that endpoint
        view_args: dict[str, t.Any] = req.view_args  # type: ignore[assignment]
        return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
    def full_dispatch_request(self) -> Response:
        """Dispatches the request and on top of that performs request
        pre and postprocessing as well as HTTP exception catching and
        error handling.
File \"/opt/ssti.py\", line 21, in greet
    name = request.args.get('name')
    if not name:
        return "The parameter <strong>name</strong> is missing."
 
    template = f"Hello, {name}!"
    return render_template_string(template)            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
if __name__ == '__main__':
    app.run(debug=True, port=9000)
File \"/usr/local/lib/python3.11/dist-packages/flask/templating.py\", line 161, in render_template_string
 
    :param source: The source code of the template to render.
    :param context: The variables to make available in the template.
    """
    app = current_app._get_current_object()  # type: ignore[attr-defined]
    template = app.jinja_env.from_string(source)                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    return _render(app, template, context)
 
 
def _stream(
    app: Flask, template: Template, context: dict[str, t.Any]
File \"/usr/local/lib/python3.11/dist-packages/jinja2/environment.py\", line 1108, in from_string
        :param template_class: Return an instance of this
            :class:`Template` class.
        """
        gs = self.make_globals(globals)
        cls = template_class or self.template_class
        return cls.from_code(self, self.compile(source), gs, None)                                    ^^^^^^^^^^^^^^^^^^^^
 
    def make_globals(
        self, d: t.Optional[t.MutableMapping[str, t.Any]]
    ) -> t.MutableMapping[str, t.Any]:
        """Make the globals map for a template. Any given template
File \"/usr/local/lib/python3.11/dist-packages/jinja2/environment.py\", line 768, in compile
                return source
            if filename is None:
                filename = "<template>"
            return self._compile(source, filename)
        except TemplateSyntaxError:
            self.handle_exception(source=source_hint)             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
    def compile_expression(
        self, source: str, undefined_to_none: bool = True
    ) -> "TemplateExpression":
        """A handy helper method that returns a callable that accepts keyword
File \"/usr/local/lib/python3.11/dist-packages/jinja2/environment.py\", line 939, in handle_exception
        """Exception handling helper.  This is used internally to either raise
        rewritten exceptions or return a rendered traceback for the template.
        """
        from .debug import rewrite_traceback_stack
 
        raise rewrite_traceback_stack(source=source)         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
    def join_path(self, template: str, parent: str) -> str:
        """Join a template with the parent.  By default all the lookups are
        relative to the loader root so this method returns the `template`
        parameter unchanged, but if the paths should be relative to the
File \"<unknown>\", line 1, in template
jinja2.exceptions.TemplateSyntaxError: expected token 'end of print statement', got 'integer'
This is the Copy/Paste friendly version of the traceback.

[vladko312]

Seems like the website might decode the payload in some way... Can you try {{2+2}} manually?

[sunset2131]

yes,website might decode the payload in some way

+ signs are interpreted as spaces in URL query parameters

use urlendocde can work

So it's not a tool problem. I checked the server code as follows

from flask import Flask, request, render_template_string

app = Flask(__name__)

@app.route('/')
def home():
    return '''
    <form method="get" action="/username">
        <input type="text" name="name" placeholder="Enter your name">
        <input type="submit" value="Greet">
    </form>
    '''

@app.route('/username', methods=['GET'])
def greet():
    name = request.args.get('name')
    if not name:
        return "The parameter <strong>name</strong> is missing."
    
    template = f"Hello, {name}!"
    return render_template_string(template)

if __name__ == '__main__':
    app.run(debug=True, port=9000)

[sunset2131]

Maybe you can add special characters such as + to use url encoding when testing