• Two new detection and exploitation techniques

Error-based
Boolean error-based blind

• Techniques are now tested in the specified order
• Generic template engines are now skipped by default in favor of generic plugins
• Plugins can now specify header and trailer length
• Context suffix can now include closure or reversed closure (not used by plugins yet)
• Base64 exfiltration support (not used by plugins yet)
• New plugin for Spring EL injection
• Twig CVE payload was moved to Extras in favor of |map()-based payload
• Fromfile data type to provide request body parts through files
• Freemarker now supports expression evaluation
• Dust.js now supports rendered code execution
• Some plugins were moved to legacy status
• Old payloads for Jinja and Smarty were moved to extras
• SSTImap can now run with disabled form detection if dependencies are not installed
• Fixed some bugs

• New payload for Twig exploiting CVE-2022-23614

Old payload renamed to Twig_v1
Alternate payload: legacy/Twig_filter

• Request body type support:

form: URLencoded form data (default)
json: JSON data
text: Plain text data
fromhex: Binary data encoded as HEX

• Blind detection now uses separate longer time for verification and exploitation

Detected blind injections are now verified to produce less false positives
Warning is printed if detected delays vary more than expected

• Improved some payloads by removing unused closures
• Added a way to specify expected target system shell
• URLs without params are no longer treated as forms by default
• Added clarity with text and colors
• Fixed some bugs

• Crawler and form detection (by @fantesykikachu)
• New template engine added: Cheetah
• Automatic import for engine modules
• Interactive module reloading capability
• Full support for Python 3.11
• Replaced telnetlib with a custom TCP client

First release of SSTImap