Packages and Binaries:
sstimap
Automatic SSTI detection tool with interactive interface
SSTImap is a penetration testing software that can check websites for Code
Injection and Server-Side Template Injection vulnerabilities and exploit them,
giving access to the operating system itself.
Installed size: 357 KB
How to install: sudo apt install sstimap
Dependencies:
- python3
- python3-html5lib
- python3-mechanize
- python3-requests
- python3-urllib3
sstimap
root@kali:~# sstimap -h
usage: sstimap.py [-h] [-V] [--module MODULE] [--config CONFIG] [--no-color]
[-u URL] [-i] [--load-urls LOAD_URLS]
[--load-forms LOAD_FORMS] [-M MARKER] [-d DATA]
[--data-type DATA_TYPE] [--data-params KEY=VALUE]
[-H HEADER] [-C COOKIE] [-m METHOD] [-a USER_AGENT] [-A]
[--delay DELAY] [-p PROXY] [--verify-ssl] [--log-response]
[-c CRAWL_DEPTH] [-f] [--empty-forms]
[--crawl-exclude CRAWL_EXCLUDE]
[--crawl-domains CRAWL_DOMAINS] [--save-urls SAVE_URLS]
[--save-forms SAVE_FORMS] [-l LEVEL] [-L LEVEL CLEVEL]
[-e ENGINE] [-r TECHNIQUE] [--bool-ok BOOLEAN_REGEX_OK]
[--bool-err BOOLEAN_REGEX_ERR] [--bool-match BOOLEAN_MATCH]
[--bool-match-min BOOLEAN_MATCH_MIN]
[--bool-fuzzy STABLE ERROR] [--bool-samples COUNT MIN MAX]
[--blind-delay TIME_BASED_BLIND_DELAY]
[--verify-blind-delay TIME_BASED_VERIFY_BLIND_DELAY]
[--legacy] [--generic] [--run] [-t] [-T TPL_CODE] [-x]
[-X EVAL_CODE] [-s] [-S OS_CMD] [-B PORT] [-R HOST PORT]
[--remote-shell REMOTE_SHELL] [-F] [-U LOCAL REMOTE]
[-D REMOTE LOCAL]
SSTImap is an automatic SSTI detection and exploitation tool with
predetermined and interactive modes.
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
--module MODULE Provide information about the module ('list' to show
all modules)
--config CONFIG Use custom config file or directory
--no-color Disable color in output
target:
At least one of these options has to be provided to define target(s)
-u, --url URL Target URL (e.g. 'https://example.com/?name=test')
-i, --interactive Run SSTImap in interactive mode
--load-urls LOAD_URLS
File or directory to load URLs from
--load-forms LOAD_FORMS
File or directory to load forms from
request:
These options can specify how to connect to the target URL and add
possible attack vectors
-M, --marker MARKER Use string as injection marker (default '*')
-d, --data DATA Request body data param to send (e.g. 'param=value')
[Stackable]
--data-type DATA_TYPE
Request body data type (default 'form')
--data-params KEY=VALUE
Request body data processing params
-H, --header HEADER Header to send (e.g. 'Header: Value') [Stackable]
-C, --cookie COOKIE Cookie to send (e.g. 'Field=Value') [Stackable]
-m, --method METHOD HTTP method to use (default 'GET')
-a, --user-agent USER_AGENT
User-Agent header value to use
-A, --random-user-agent
Random User-Agent header value from a list of desktop
browsers on every request
--delay DELAY Delay between requests (Default/0: no delay)
-p, --proxy PROXY Use a proxy to connect to the target URL
--verify-ssl Verify SSL certificates (not verified by default)
--log-response Include HTTP responses into ~/.sstimap/sstimap.log
crawler:
These options can specify how to detect URLs and forms on the target
website.
-c, --crawl CRAWL_DEPTH
Depth to crawl (default/0: don't crawl)
-f, --forms Scan page(s) for forms
--empty-forms Treat pages without params as GET forms
--crawl-exclude CRAWL_EXCLUDE
RegEx in URLs to not crawl
--crawl-domains CRAWL_DOMAINS
Crawl other domains: Y(es) / S(ubdomains) / N(o).
Default: S
--save-urls SAVE_URLS
File or directory to save crawled URLs to
--save-forms SAVE_FORMS
File or directory to save crawled forms to
detection:
These options can be used to customize the detection phase.
-l, --level LEVEL Level of escaping to perform (1-5, Default: 1)
-L, --force-level LEVEL CLEVEL
Force a LEVEL and CLEVEL to test
-e, --engine ENGINE Check only this backend template engine
-r, --technique TECHNIQUE
Techniques: R(endered) E(rror-based) B(oolean error-
based blind) T(ime-based blind). Default: REBT
--bool-ok BOOLEAN_REGEX_OK
RegEx to match when boolean error-based blind payload
evaluates correctly
--bool-err BOOLEAN_REGEX_ERR
RegEx to match when boolean error-based blind payload
causes an error
--bool-match BOOLEAN_MATCH
Comma-separated list of matching params or 'all'.
Default: code,header_count,cookie_count,byte_len,body_
len,body_words,body_lines,encoding,redirects,time,url,
content_type,server
--bool-match-min BOOLEAN_MATCH_MIN
Minimum amount of usable params for matching. Default:
7
--bool-fuzzy STABLE ERROR
Allow small deviations in some of the matching
parameters. Default: 0.05 0.1
--bool-samples COUNT MIN MAX
Amount of tests to profile the page and payload sizes.
Default: 10 1 200
--blind-delay TIME_BASED_BLIND_DELAY
Delay to detect time-based blind injection (Default: 4
seconds)
--verify-blind-delay TIME_BASED_VERIFY_BLIND_DELAY
Delay to verify and exploit time-based blind injection
(Default: 30 seconds)
--legacy Include old payloads, that no longer work with newer
versions of the engines
--generic Try dedicated payloads for generic engines, detecting
more context.
--run Run detection at the start of SSTImap in interactive
mode.
payload:
These options can be used to get access to the template engine, filesystem
or OS shell after an attack.
-t, --tpl-shell Prompt for an interactive shell on the template engine
-T, --tpl-code TPL_CODE
Inject code in the template engine
-x, --eval-shell Prompt for an interactive shell on the template engine
base language
-X, --eval-code EVAL_CODE
Evaluate code in the template engine base language
-s, --os-shell Prompt for an interactive operating system shell
-S, --os-cmd OS_CMD Execute an operating system command
-B, --bind-shell PORT
Spawn a system shell on a TCP PORT of the target and
connect to it
-R, --reverse-shell HOST PORT
Run a system shell and back-connect to local HOST PORT
--remote-shell REMOTE_SHELL
Expected system shell on the target (default
'/bin/sh')
-F, --force-overwrite
Force file overwrite when uploading
-U, --upload LOCAL REMOTE
Upload LOCAL to REMOTE files
-D, --download REMOTE LOCAL
Download REMOTE to LOCAL files
Updated on: 2026-Mar-02