SSTImap Extra Plugins
This repository contains SSTImap plugins, which might be useful in some specific cases, but are too situational to include in the main repository.
- Install the latest version of SSTImap.
- Clone this repository inside
plugins/directory of SSTImap.
Alternatively, required plugins can be manually saved in
plugins/custom/directory of SSTImap.
| Plugin | Ver. | RCE | Tech | Code evaluation | Type |
|---|---|---|---|---|---|
| expr-eval | 1.2.3 | ✓ | REBT | JavaScript | CVE? |
| CVE_2025_1302 | 1.2.3 | ✓ | REBT | JavaScript | CVE |
| CVE-2022-23614 | 1.2.3 | ✓ | R_BT | PHP | CVE |
| CVE_2024_6386 | 1.2.3 | ✓ | REBT | PHP | CVE |
| Smarty_old | 1.2.3 | ✓ | REBT | PHP | old |
| Jinja2_old | 1.2.3 | ✓ | REBT | PHP | old |
Techniques: (R)endered, (E)rror-based, (B)oolean error-based blind and (T)ime-based blind; Lowercase letter marks partially supported technique
- expr-eval - expr-eval <= 2.0.2 RCE via JavaScript eval
expr-eval up to the latest version 2.0.2 is vulnerable to JavaScript eval injection. Plugin automates detection and exploitation of this flaw providing post-exploitation capabilities.
- CVE_2025_1302 - JSONPath Plus < 10.3.0 RCE via JavaScript eval
Plugin automates detection and exploitation of CVE-2025-1302 providing post-exploitation capabilities. This plugin can automatically detect many JSONpath injection contexts and more would be added in the future.
- CVE-2022-23614 - Sandbox bypass in Twig >=2.12 <2.14.11 and >=3.0 <3.3.8
Plugin automates detection and exploitation of CVE-2022-23614, bypassing sandbox in Twig using |sort filter with PHP functions.
- CVE_2024_6386 - WPML Multilingual CMS Contributor+ RCE via Twig SSTI
Plugin automates detection and exploitation of CVE-2024-6386 providing post-exploitation capabilities. Correctly set headers X-WP-Nonce and Content-Type as well as cookies are required for exploitation. Example:
./sstimap.py -i -e CVE_2024_6386 --data-type json -m POST -H "Content-Type: application/json" -H "X-WP-Nonce: ..." -H "Cookie: ..." -d '{"id":...,"content":"*"}' -u "http://localhost/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F..."-
Smarty_old - Smarty template engine prior to version 3.0 using {php}{/php} tags
-
Jinja2_old - Old long payloads for Jinja template engine
New plugins are always welcome in PRs
- Use
-e/--engineoption with the name of the plugin's class, e.g.-e CVE_2024_6386to use a specific plugin - Use
-p/--proxyoption with BurpSuite or a similar tool to see the requests, e.g.-p http://127.0.0.1:8080 - Use interactive mode (
-i/--interactive) to preserve settings between runs. Userunto run tests andreloadto reload plugins from disk (e.g. after some changes) - Use
--data-type fromhexto provide request body as hex-encoded string with*as injection marker, if body format is not supported otherwise, e.g.--data-type fromhex --data E29885C2AB*C2BBE29885
- Install the latest version of SSTImap
- Copy
CVE_2024_6386.pyplugin toplugins/custominside SSTImap directory - Run the following command:
./sstimap.py -i -e CVE_2024_6386 -p http://127.0.0.1:8080 --data-type json -m POST -H "Content-Type: application/json" -H "X-WP-Nonce: ..." -H "Cookie: ..." -d '{"id":...,"content":"*"}' -u "http://localhost/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F..."- Use
runcommand to test the payload - Edit the payload, use commands
reloadandrun