aeondave/sstimap
offensive-tools/vuln-scanners/sstimap/SKILL.md
Auth/lab ref: actively maintained SSTI detection and exploitation tool with interactive and predetermined modes across Jinja2, Twig, Smarty, Freemarker, Velocity, ERB, Pug, Nunjucks, and more.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill sstimapInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 4:07 AM160.7s2 files scanned
SKILL.md
- name:
- sstimap
- description:
- Auth/lab ref: actively maintained SSTI detection and exploitation tool with interactive and predetermined modes across Jinja2, Twig, Smarty, Freemarker, Velocity, ERB, Pug, Nunjucks, and more.
- license:
- GPL-3.0
- compatibility:
- Linux / macOS / Windows; Python 3.
- author:
- AeonDave
- version:
- 1.0
SSTImap
Modern SSTI detection and exploitation — maintained successor to tplmap.
Quick Start
git clone https://github.com/vladko312/SSTImap
cd SSTImap && pip3 install -r requirements.txt
# Basic detection
python3 sstimap.py -u "http://target.com/render?name=*"
# POST injection point
python3 sstimap.py -u "http://target.com/render" -d "name=*"
# Interactive exploitation
python3 sstimap.py -u "http://target.com/render?name=*" --interactive
Use * to mark the injection point in URL params, POST body, or headers.
Core Flags
| Flag | Purpose |
|------|---------|
| -u <url> | Target URL with * marker |
| -d <data> | POST body with * marker |
| -H "K: V" | Custom header |
| --cookie <str> | Cookie string |
| --os-shell | Try interactive OS shell |
| --os-cmd <cmd> | Execute one OS command |
| --interactive | Interactive exploitation mode |
| --engine <name> | Force engine if known |
| --proxy <url> | Route through Burp/ZAP |
| --extra <dir> | Load extra plugins |
Supported Engines
Common engines covered:
- Jinja2 / Python eval
- Twig / Smarty
- Freemarker / Velocity
- ERB / Slim / Ruby eval
- Pug / Nunjucks / doT / Dust / EJS
- Tornado / Mako / Marko
Detection Workflow
# 1. Confirm reflection manually
name={{7*7}}
name=${7*7}
name=<%= 7*7 %>
name=#{7*7}
# 2. Hand off to SSTImap
python3 sstimap.py -u "http://target.com/?name=*"
# 3. If engine known, force it for cleaner exploitation
python3 sstimap.py -u "http://target.com/?name=*" --engine jinja2 --interactive
Typical Escalation Path
| Stage | Objective |
|-------|-----------|
| Expression eval | {{7*7}} / ${7*7} returns 49 |
| Object traversal | reach builtins / classes / globals |
| File read | load templates, config, env |
| Command exec | os.popen, subprocess, engine-native gadget |
| Shell | reverse shell or interactive command loop |
Why Prefer SSTImap over tplmap
- Actively maintained with releases in 2025
- Native Python 3 workflow
- Interactive mode is cleaner for real exploitation
- Extra plugins support newer engines and CVE-specific chains
References
- SSTI payloads:
references/ssti-payloads.md - SSTImap repository
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026