CVE-2021-33564 PoC — Ruby 参数注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-33564.yaml

Associated Vulnerability

Title:Ruby 参数注入漏洞 (CVE-2021-33564)
Description:Ruby是松本行弘个人开发者的一种跨平台、面向对象的动态类型编程语言。 Ruby 1.4.0版本之前存在参数注入漏洞，该漏洞源于Ruby的Dragonfly gem中存在一个参数注入漏洞，当验证URL选项被禁用时，远程攻击者利用该漏洞可以通过一个精心制作的URL读取和写入任意文件。

Description

Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

File Snapshot


 id: CVE-2021-33564

info:
  name: Ruby Dragonfly <1.4.0 - Remote Code Execution
  author: 0xsapra
  

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!