Create your own plugins

Using custom payloads

Document format

Each plugins concern a single language, all plugins can be found in the plugins folder named like this: <language>.yml.

The document format is the following:

version: 1.0.0
name: Python
engines:
  - name: Mako
    payloads:
      - id: python_mako_ecA9Ba9885
        payload: ${21389+219839}
        response:
          expected: 241228
          invalidate: ${241228}
          error: false

version: The version of the plugin
name: The name of the language
engines: The template engines of the language
- name: The name of the template engine
- payloads: The payloads to use
  - id: The ID of the payload
  - payload: The payload to use
  - response: The response to expect
    - expected: The expected response
    - invalidate: The payload to use to invalidate response
    - error: If the response is an error

GoSSTI engine will replace the string "SSTI" in the provided options with the payload, looking for the response to contain the "expected" but not the "invalidate" value. If your payload should throw an error, you can set the "error" value to true. This will make GoSSTI engine looking for the "expected" value in the error message.

To add a new payload, you can add a new payload in the payloads section of the plugin.

Define the payload ID like this: <language>_<template_engine>_<random_string>

You can generate a random string with the following command:

python3 -c "import random; import string; print(''.join(random.choice(string.hexdigits) for i in range(10)))"

Installation CLI