webPromedium

DeployPilot

hackadvisor

Task: Express.js deployment dashboard with EJS templates, /reports/preview endpoint passes query params to res.render() as EJS options. Solution: WAF bypass using + instead of %20, then EJS SSTI via outputFunctionName option (CVE-2022-29078) to achieve RCE and read /root/flag.txt.

$ ls tags/ techniques/

waf_bypass rce ssti nodejs ejs express template_injection cve_2022_29078

ejs_outputfunctionname_sstiwaf_bypass_plus_encodingquery_param_to_render_options_pollutionbracket_notation_rce

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 36 — PulseBoard — Prototype Pollution to RCE via EJS— hackadvisor
[web][Pro]Lab 322 — NetPulse — IP Spoofing to RCE via Polling Agent API— hackadvisor
[web][Pro]Lab 29 — PackForge — Path Traversal to RCE via Template Injection— hackadvisor
[web][Pro]MailPulse— hackadvisor
[web][Pro]Lab 384 — DevPulse — RCE via AI Log Assistant Prompt Injection— hackadvisor