Tplmap Versions Save

Server-Side Template Injection and Code Injection Detection and Exploitation Tool

v0.5

5 years ago
  • Use stdout for prints to close #47
  • Support Python3 to close #33
  • Use Docker for testing environments
  • Use TravisCI
  • Fix Smarty caching quirks
  • Add requirements.txt
  • Fix Jinja2 false negatives

v0.4.1

6 years ago

v0.4

6 years ago
  • Add @jx6f 's Burpsuite module
  • Add @jx6f 's Dockerized test environment
  • Add ERB template engine
  • Rewrite Plugin object
  • Add Slim template engine
  • Add Ruby eval module
  • Support injection in URL
  • Supports HTTP Proxy
  • Add Tornado plugin test

v0.3.1

7 years ago
  • Improve render detection method
  • Skip TLS certificate check
  • Add Marko Plugin
  • Add doT Plugin

v0.2

7 years ago
  • Exploitation of Dust.js template engine.
  • Fix command execution payloads for Velocity template engine as suggested by @henshin.
  • Exploitation of generic code injections for Python, JavaScript and PHP applications.
  • Improve how to select the injection points via the command line.

v0.1

7 years ago
  • Core
  • Detection and exploitation plugins for Mako, Jinja2, Velocity, Freemarker, Jade, Nunjucks, Smarty, Twig
  • Blind exploitation
  • Code context escape