We researched on Hacktricks on how to inject arbitrary codes to Ruby ERB templates :
When we tried to view the details of BURP Protection , We were responsed with the message as Unfortunately this product is out of stock . We were able to see that in the url, this message was there in a ?message parameter .
We edited the parameter and was able to see that we can manually insert our own text there because our text was rendered in the HTML page :
We used the payload <%= 7*7 %> and was able to see that this page is vulnerable to SSTI (Server-Side Template Injection) because we got the output as 49 :
This means that we could execute system commands in this webpage. Then deleted the morale.txt file from Carlos’s home directory using the payload <%=%20system(%27rm%20/home/carlos/morale.txt%27)%20%>, thus solving the lab :
