⚠️ Overview

tplmap is an open-source automated tool designed to detect and exploit Server-Side Template Injection (SSTI) vulnerabilities. Originally developed by epinna and made publicly available on GitHub at https://github.com/epinna/tplmap, the tool is maintained by the security community and has been widely referenced in penetration testing methodologies since its release around 2016.

🔧 Technical Capabilities

tplmap automates the process of identifying template injection points across a wide range of template engines including Jinja2, Twig, Freemarker, Velocity, Mako, Smarty, and Ruby’s ERB. It sends crafted payloads—such as {{7*7}} or ${7*7}—to test for integer arithmetic being reflected in server responses. Once a vulnerable parameter is confirmed, tplmap attempts to escalate the attack to achieve remote code execution (RCE) by injecting template expressions that invoke operating system commands, read local files, or perform blind SQL injection depending on the engine. The tool supports blind injection detection using out-of-band channels, such as DNS or HTTP callbacks, when direct output is not visible. It also offers interactive shell sessions, file system traversal, and Python-based command execution for engines like Jinja2 and Mako. According to the official GitHub repository, tplmap integrates with Burp Suite and can be run as a standalone command-line utility with options for proxy support, cookie handling, and custom HTTP headers.

📜 History & Notable Incidents

tplmap was first released around 2016 following the publication of research on SSTI exploitation by James Kettle (PortSwigger) and others. The tool gained popularity after being demonstrated at security conferences such as Black Hat and OWASP AppSec. It has been used in numerous penetration tests and bug bounty programs, contributing to the discovery of SSTI vulnerabilities in platforms like Jenkins (CVE-2016-9299), Oracle WebLogic (CVE-2019-2725), and various content management systems. While no single high-profile breach has been directly attributed to tplmap, it is a staple in red team arsenals and is frequently cited in exploit write-ups for SSTI flaws.

🔍 Detection Indicators

Traffic from tplmap typically exhibits multiple requests containing template syntax strings such as {{7*7}}, {7*7}, ${7*7}, or Python Flask/Jinja2 specific injections. The default User-Agent is often python-requests/2.x.x (inherited from the Python requests library), though attackers may modify it. Behavioral fingerprints include sequential probing with numeric evaluation, followed by file-reading attempts (self._ evallang), and repeated parameter fuzzing against the same endpoint. High-frequency requests with identical patterns targeting a single parameter are a strong indicator of automated SSTI scanning.

☠️ Risk & Impact

Successful exploitation via tplmap can lead to full remote code execution on the victim server, allowing attackers to install web shells, exfiltrate databases, pivot to internal networks, or perform denial-of-service attacks. The tool can also read sensitive files such as /etc/passwd or application configuration files containing credentials, leading to complete compromise of the web application and its underlying infrastructure.

🛡️ Mitigation

tplmap is a confirmed malicious scanning tool that probes for SSTI vulnerabilities with the intent to compromise the server. It is blocked immediately on detection to prevent exploitation and data loss, with WAF rules typically matching template injection payloads and the tool’s characteristic request patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.