Tplmap is tool of a Python, can find Wu of code infuse kimono through using technology of sandbox transferred meaning implement infuse of upright pattern plate (SSTI) flaw. This tool can use SSTI to visit target file system or operating system in a lot of pattern plate engine. A few pattern plate engine that get support include PHP (code is evaluated) , ruby (code is evaluated) , javeScript (code is evaluated) , python (code is evaluated) , ERB, jinja2 and Tornado. This tool can carry out the blind infuse of these pair of pattern plate engine, have the capacity of executive telecommand.
Install TplmapCan use link of the following Github to store from Github the library overcomes grand this tool to install Tplmap through making.
Git Clone Https://github.com/epinna/tplmap
After be being installed successfully, change catalog way install a file for Tplmap in order to start Tplmap.py.
Check the flaw in Web application processTplmap exploited the loophole of file system not only, and still have the capacity that uses different parameter to visit rock-bottom operating system. Scheme of check of the following screen showed the different parameter option that can be used at visitting fundamental operating system
The following command can be used at checking the suffers attack easily parameter in target URL.
. / '> of network address of target of Tplmap.py -u <'
After executing this order, this tool can check target URL in the light of many plug-in unit in order to search code infuse opportunity.
If discover flaw, this tool will export the detailed information that about the likelihood in the target infuse nods. These include GET parameter to be worth (no matter be Id or name) , pattern plate engine (for example Tornado) , OS (for example Linux) with infuse technology (for example apply colours to a drawing, blind) .
To getting the target operating system of attack easily, can use in front mention among them a parameter runs Tplmap command afresh. For example, we can carry the following kind will - Os -shell option and Tplmap command are used together.
. / Tplmap.py- - '> of network address of target of Os-shell -u <'
- the code that Os -shell option starts bogus terminal to need in order to carry out place on target operating system.