Metadata-Version: 2.3
Name: sstininja
Version: 0.1.1
Summary: Add your description here
Requires-Dist: flask>=3.1.3
Requires-Dist: jinja2>=3.1.6
Requires-Dist: requests>=2.33.1
Requires-Dist: rich>=15.0.0
Requires-Dist: typer>=0.25.1
Requires-Python: >=3.12
Description-Content-Type: text/markdown

# SSTIninja

A Server-Side Template Injection (SSTI) detection and exploitation tool.
Given a URL and a parameter, it fingerprints the template engine, probes
WAF / sandbox restrictions, searches for a working payload, and verifies
RCE end-to-end.

Supports Jinja2, Tornado, Mako, Twig, and Smarty.

## Install

```bash
# one-shot, no install
uvx --from git+https://github.com/WangYihang/sstininja sstininja --help

# or install
pip install git+https://github.com/WangYihang/sstininja

# or from a local clone
pip install -e .
```

Requires Python 3.11+.

## Use

**Exploit a remote URL:**

```bash
sstininja probe --url 'http://target/page' --param name
```

**Exploit a local Jinja2 sandbox (research / CTF):**

```bash
sstininja probe --context empty_string --sandbox none --target os.popen
```

**Run the benchmark suite:**

```bash
sstininja bench run
```

**Run the HTTP eval corpus:**

```bash
sstininja eval run --corpus eval/corpus/local_flask.toml
```

Run `sstininja --help` to see all commands.
