-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSTImap should test simple payload, otherwise may return false positive result #30
Comments
same problem but the problem is the web not use template engine or maybe is just junk http packet maybe because error from web like 5xx or waf can cause false positive or the target web not vuln with ssti just junk http |
@alasalamont Why is your case false positive? SSTImap correctly identified the template injection as rendered I will work on improving the payload system though, as bash is not always present on the target. |
@mrdragonblack the problem you described is most likely caused by blind detection with small delay. Increase the delay or disable blind detection |
Yup you are correct. I suggest add more some payload to test to double-check. Like in this case, the sysetm has no bash ^^ |
I will do something about that, making more payload variations once the language is detected. |
Blind false positives should be fixed in 1.2.0 As for payloads with bash - this will come in later versions |
Hi brother,
I did test SSTImap on this workshop, at
25_template_freemarker
When I use simple payload, it works
But when the tool use its payload, it does not work
The site returns
Because of this, the tool also return false positive result
The text was updated successfully, but these errors were encountered: