Performing a quick audit of the entire source code, we don’t find any obvious vulnerability in any of the defined routes, however, there is a particular route in ransomwares.js that appears to be incomplete and more importantly, passes unsanitized user input into a TOML parser (ion-parser). For instance, if a Pug template was vulnerable to an eval() injection during server-side JavaScript execution, then that would give an attacker access to the sandboxed execution context without needing to upload any files. Call that resultant function with your data, and voilà, it will return a string of HTML rendered with your data.
PUG TEMPLATE INJECTION CODE
pug.compile () will compile the Pug source code into a JavaScript function that takes a data object (called locals ) as an argument.
PUG TEMPLATE INJECTION INSTALL
Looking through the other JavaScript code, we can learn that this appears to be a ransomware dashboard detailing any collected ransom(s), the victim(s) and details on any deployed ransomware(s), one interesting observation is that you can export the data in the TOML format (Tom’s Obvious, Minimal Language) which looks similar to YAML. Pug is available via npm: npm install pug Overview The general rendering process of Pug is simple. use ( ' /ransomware ', ransomwaresRouter ) app. Looking at app.js, we find routers being defined for the web application. Sha265: 23fe6d930ad391511e6d2ad1987d9d0531be88705711caaea9efe2efa6da5923Ī quick glance at the provided source code tells us that this is a web application written in NodeJS. we will inject these users and title of the page dynamically very soon. This is a pretty interesting challenge that requires exploiting a prototype pollution vulnerability in a library (ion-parser) in order to manipulate another library (blade) in order to achieve remote code execution. now lets add a new view in our views folder name users.pug. SSRF (Server Side Request Forgery) SSTI (Server Side Template Injection) Reverse Tab Nabbing. Then create a further directory called html and a. Create a new directory named pug-examples and change into it. I solved this challenge after the CTF was over as it wasn’t available to us during the CTF. Now that we’ve got Pug installed, let’s try it out. This challenge was part of the STACK the flags 2020 CTF organized by GovTech.