CVE-2021-33564 PoC — Ruby 参数注入漏洞

Source

https://github.com/mlr0p/CVE-2021-33564

Associated Vulnerability

Title:Ruby 参数注入漏洞 (CVE-2021-33564)
Description:Ruby是松本行弘个人开发者的一种跨平台、面向对象的动态类型编程语言。 Ruby 1.4.0版本之前存在参数注入漏洞，该漏洞源于Ruby的Dragonfly gem中存在一个参数注入漏洞，当验证URL选项被禁用时，远程攻击者利用该漏洞可以通过一个精心制作的URL读取和写入任意文件。

Description

Argument Injection in Dragonfly Ruby Gem

Readme

# CVE-2021-33564 PoC
Exploit script for CVE-2021-33564 (Argument Injection in Dragonfly Ruby Gem).

## Usage

### Arbitrary File Read

`python3 poc.py -u https://<target_url>/system/refinery/images -r /etc/passwd`

### Arbitrary File Write

`python3 poc.py -u https://<target_url>/system/refinery/images -w public/test.txt -c test.txt -lu http://<local_url>`

For more information, please visit the blog.

File Snapshot


 [4.0K]  /data/pocs/74388578ca3480d3acff8f29c99da778b411d57f
├── [2.2K]  poc.py
├── [ 405]  README.md
└── [  18]  requirements.txt

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!