Neonify
Web challenge Neonify
It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!
Source Code Review
This application uses ruby 2.7.5, and have a single page / that receive an input from the user and reply inside a template, SSTI ?
1
2
3
4
5
6
7
8
post '/' do
if params[:neon] =~ /^[0-9a-z ]+$/i
@neon = ERB.new(params[:neon]).result(binding)
else
@neon = "Malicious Input Detected"
end
erb :'index'
end
ERB.new() create a new tempalte ERB with the user input. This regular expresion validate the input that does contain leters, numbers and spaces. As pointed here in this article from David, match(/^[0-9a-z]+$/\) in ruby, the ^ and $ will match at the start and end of each line. So we can add %0a (\n) linefeed to bypass the filter.
Local Testing
We sen this payload with burpsuite with Hackvector extension.
1
abc%0a<@urlencode><%= 7*7 %><@/urlencode>
Proof of Concept
Mitigation
As we can read here , we need to improve our regex to match the beginning and end on the entire string in Ruby
1
2
3
4
5
6
post '/' do
if params[:neon] =~ /\A[0-9a-z ]+\z/i
@neon = ERB.new(params[:neon]).result(binding)
else
@neon = "Malicious Input Detected"
end
