Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-8163 PoC — Ruby on Rails 代码注入漏洞

Source
https://github.com/h4ms1k/CVE-2020-8163
Associated Vulnerability
Title:Ruby on Rails 代码注入漏洞 (CVE-2020-8163)
Description:Ruby on Rails是Rails团队的一套基于Ruby语言的开源Web应用框架。 Ruby on Rails 5.0.1之前版本中存在代码注入漏洞。远程攻击者可利用该漏洞执行代码。
Description
Enviroment and exploit to rce test
Readme
# CVE-2020-8163
Enviroment and exploit to CVE-2020-8163 Blind remote code execution of user-provided local names in Rails < 5.0.1 and < 4.2.11.2

## Create the enviroment
  1. create docker container mapping port 4000 to 8001 
   ```
   sudo docker run --rm -it -p 8001:4000 ruby:2.3 bash
   ```

  2. update and install some tools in container
   ```
   apt update && apt install unzip libz-dev libiconv-hook1 libiconv-hook-dev net-tools nodejs -y
   ```

  3. get id container 
  ```
  sudo docker ps
  ```

  4. zip and copy app to docker container
  ```
  zip -r test_cve-2020-8163.zip test_cve-2020-8163/
  sudo docker cp test_cve-2020-8163.zip id_container:/opt/
  ```
  
  5. unzip and bundle app
  ```
  cd opt 
  unzip testapp.zip
  cd test_cve-2020-8163
  bundle
  ```
  
  6. start server
  ```
  bundle exec rails s -p 4000 -b '0.0.0.0'
  ```

  7. if we don't want to repeat the whole process, we do a docker commit
  ```
  sudo docker commit id_container name_of_commit
  ```
  
## Exploit
  1. execute exploit
  ```
  ruby exploit.rb http://localhost:8001/main/index "uname -a"
  ```
    
  2. See log to view the output
File Snapshot

 [4.0K]  /data/pocs/554a1942793ce7e2831dcfb0f1d32c8d83eba67c
├── [ 869]  exploit.rb
├── [1.1K]  README.md
└── [4.0K]  test_cve-2020-8163
    ├── [4.0K]  app
    │   ├── [4.0K]  assets
    │   │   ├── [4.0K]  javascripts
    │   │   │   ├── [ 661]  application.js
    │   │   │   └── [ 211]  main.coffee
    │   │   └── [4.0K]  stylesheets
    │   │       ├── [ 686]  application.css
    │   │       └── [ 175]  main.scss
    │   ├── [4.0K]  controllers
    │   │   ├── [ 204]  application_controller.rb
    │   │   └── [  85]  main_controller.rb
    │   ├── [4.0K]  helpers
    │   │   ├── [  29]  application_helper.rb
    │   │   └── [  22]  main_helper.rb
    │   └── [4.0K]  views
    │       ├── [4.0K]  layouts
    │       │   └── [ 293]  application.html.erb
    │       └── [4.0K]  main
    │           ├── [ 121]  index.html.erb
    │           ├── [  66]  show.html.erb
    │           └── [  29]  _test.html.erb
    ├── [4.0K]  bin
    │   ├── [ 129]  bundle
    │   ├── [ 268]  rails
    │   ├── [ 213]  rake
    │   ├── [ 805]  setup
    │   └── [ 507]  spring
    ├── [4.0K]  config
    │   ├── [1.2K]  application.rb
    │   ├── [ 132]  boot.rb
    │   ├── [ 150]  environment.rb
    │   ├── [4.0K]  environments
    │   │   ├── [1.4K]  development.rb
    │   │   ├── [3.1K]  production.rb
    │   │   └── [1.7K]  test.rb
    │   ├── [4.0K]  initializers
    │   │   ├── [ 486]  assets.rb
    │   │   ├── [ 404]  backtrace_silencers.rb
    │   │   ├── [ 129]  cookies_serializer.rb
    │   │   ├── [ 194]  filter_parameter_logging.rb
    │   │   ├── [ 647]  inflections.rb
    │   │   ├── [ 156]  mime_types.rb
    │   │   ├── [ 135]  session_store.rb
    │   │   └── [ 372]  wrap_parameters.rb
    │   ├── [4.0K]  locales
    │   │   └── [ 634]  en.yml
    │   ├── [  76]  routes.rb
    │   └── [ 964]  secrets.yml
    ├── [ 153]  config.ru
    ├── [4.0K]  db
    │   └── [ 343]  seeds.rb
    ├── [1.4K]  Gemfile
    ├── [4.1K]  Gemfile.lock
    ├── [4.0K]  log
    │   └── [   1]  development.log
    └── [4.0K]  public
        ├── [1.5K]  404.html
        ├── [1.5K]  422.html
        └── [1.4K]  500.html

18 directories, 44 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.