# N/A
## 漏洞概述
在开发模式下的 Rails 版本中存在一个远程代码执行漏洞,攻击者可以猜测自动生成的开发模式密钥令牌,进一步结合其他 Rails 内部组件实现远程代码执行。
## 影响版本
- Rails <5.2.2.1
- Rails <6.0.0.beta3
## 漏洞细节
攻击者能够猜测 Rails 开发模式下自动生成的密钥令牌。结合其他 Rails 内部组件,攻击者可以利用该令牌进一步执行远程代码。
## 影响
该漏洞允许攻击者在开发模式下通过猜测密钥令牌结合其他内部机制,最终实现远程代码执行,具有较高的风险。
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | CVE-2019-5420 (Ruby on Rails) | https://github.com/knqyf263/CVE-2019-5420 | POC详情 |
| 2 | cve-2019-5420 | https://github.com/cved-sources/cve-2019-5420 | POC详情 |
| 3 | None | https://github.com/AnasTaoutaou/CVE-2019-5420 | POC详情 |
| 4 | None | https://github.com/Eremiel/CVE-2019-5420 | POC详情 |
| 5 | POC Exploit written in Ruby | https://github.com/scumdestroy/CVE-2019-5420.rb | POC详情 |
| 6 | A vulnerability can allow an attacker to guess the automatically generated development mode secret token. | https://github.com/j4k0m/CVE-2019-5420 | POC详情 |
| 7 | None | https://github.com/mmeza-developer/CVE-2019-5420-RCE | POC详情 |
| 8 | None | https://github.com/CyberSecurityUP/CVE-2019-5420-POC | POC详情 |
| 9 | Exploit for the Rails CVE-2019-5420 | https://github.com/trickstersec/CVE-2019-5420 | POC详情 |
| 10 | Exploit in Rails Development Mode. With some knowledge of a target application it is possible for an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit. | https://github.com/PenTestical/CVE-2019-5420 | POC详情 |
| 11 | Ruby反序列化命令执行漏洞(CVE-2019-5420)-vulfocus通关版 | https://github.com/laffray/ruby-RCE-CVE-2019-5420- | POC详情 |
| 12 | cve-2019-5420 POC simple ruby script | https://github.com/WildWestCyberSecurity/cve-2019-5420-POC | POC详情 |
| 13 | A PoC of CVE-2019-5420 I made for PentesterLab | https://github.com/sealldeveloper/CVE-2019-5420-PoC | POC详情 |