This lab covers basic server-side template injection.
“This lab is vulnerable to server-side template injection due to the unsafe construction of an ERB template.
To solve the lab, review the ERB documentation to find out how to execute arbitrary code, then delete the `morale.txt` file from Carlos’s home directory.”
As always, it is a good idea to click around and get a feel of the webapp. After some functionality check, we notice something. After we clicked on the first product “Unfortunately this product is out of stock” message appeared. This happens only to this product, all others don’t display in such a manner.
We find this particular GET request in the BurpSuite and sent it to the repeater.
To check for the vulnerability, we use a simple mathematical operation (`<%= 7*7 %>`) to see if it will solve it. It works in our case, indicating that webapp is vulnerable to server-side template injection. This command indicates that we are working with Ruby.
In order to delete morale.txt, we need to craft the following command
<%= system("rm /home/carlos/morale.txt") %>
However, in order to run it, we need to URL encode it first.
Once it is done, we insert it in the message field and send it to the webapp.
The needed file is deleted and the lab is solved.
