Vulnerability Overview
CVE-2019-5418
Ruby on Rails with Ruby developed a very productive, high-maintenance, easy to deploy Web development framework, it is one of the world's preferred framework for Web application development.
By the controller rendering the view outside the `render file` application form, and the specific location will be determined according to the user file Accept incoming head. We pass through `Accept: ../../../../../../../../ etc / passwd { {` constitute up through the constructed path vulnerability, read arbitrary files.
Affects Version
Rails 6.0.0.beta3,5.2.2.1,5.1.6.2,5.0.7.2,4.2.11.1
Built environment
Use vulhub build
git clone https://github.com/vulhub/vulhub.gitcd /vulhub/rails/CVE-2019-5418docker-compose up -d
Access After completing IP: 3000
Access http://192.168.2.144:3000/robots normal robots.txt file is read out.
Request robots, Burp capture
Exploit, modify Accept arbitrary parameter file address , the following data packet transmission, read `/ etc / passwd`: