CVE-2020-8163 PoC — Ruby on Rails 代码注入漏洞

Source

https://github.com/h4ms1k/CVE-2020-8163

Associated Vulnerability

Title:Ruby on Rails 代码注入漏洞 (CVE-2020-8163)
Description:The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.

Description

Enviroment and exploit to rce test

Readme

# CVE-2020-8163
Enviroment and exploit to CVE-2020-8163 Blind remote code execution of user-provided local names in Rails < 5.0.1 and < 4.2.11.2

## Create the enviroment
  1. create docker container mapping port 4000 to 8001 
   ```
   sudo docker run --rm -it -p 8001:4000 ruby:2.3 bash
   ```

  2. update and install some tools in container
   ```
   apt update && apt install unzip libz-dev libiconv-hook1 libiconv-hook-dev net-tools nodejs -y
   ```

  3. get id container 
  ```
  sudo docker ps
  ```

  4. zip and copy app to docker container
  ```
  zip -r test_cve-2020-8163.zip test_cve-2020-8163/
  sudo docker cp test_cve-2020-8163.zip id_container:/opt/
  ```
  
  5. unzip and bundle app
  ```
  cd opt 
  unzip testapp.zip
  cd test_cve-2020-8163
  bundle
  ```
  
  6. start server
  ```
  bundle exec rails s -p 4000 -b '0.0.0.0'
  ```

  7. if we don't want to repeat the whole process, we do a docker commit
  ```
  sudo docker commit id_container name_of_commit
  ```
  
## Exploit
  1. execute exploit
  ```
  ruby exploit.rb http://localhost:8001/main/index "uname -a"
  ```
    
  2. See log to view the output

File Snapshot


 [4.0K]  /data/pocs/554a1942793ce7e2831dcfb0f1d32c8d83eba67c
├── [ 869]  exploit.rb
├── [1.1K]  README.md
└── [4.0K]  test_cve-2020-8163
    ├── [4.0K]  app
    │   ├── [4.0K]  assets
    │   │   ├── [4.0K]  javascripts
    │   │   │   ├── [ 661]  application.js
    │   │   │   └── [ 211]  main.coffee
    │   │   └── [4.0K]  stylesheets
    │   │       ├── [ 686]  application.css
    │   │       └── [ 175]  main.scss
    │   ├── [4.0K]  controllers
    │   │   ├── [ 204]  application_controller.rb
    │   │   └── [  85]  main_controller.rb
    │   ├── [4.0K]  helpers
    │   │   ├── [  29]  application_helper.rb
    │   │   └── [  22]  main_helper.rb
    │   └── [4.0K]  views
    │       ├── [4.0K]  layouts
    │       │   └── [ 293]  application.html.erb
    │       └── [4.0K]  main
    │           ├── [ 121]  index.html.erb
    │           ├── [  66]  show.html.erb
    │           └── [  29]  _test.html.erb
    ├── [4.0K]  bin
    │   ├── [ 129]  bundle
    │   ├── [ 268]  rails
    │   ├── [ 213]  rake
    │   ├── [ 805]  setup
    │   └── [ 507]  spring
    ├── [4.0K]  config
    │   ├── [1.2K]  application.rb
    │   ├── [ 132]  boot.rb
    │   ├── [ 150]  environment.rb
    │   ├── [4.0K]  environments
    │   │   ├── [1.4K]  development.rb
    │   │   ├── [3.1K]  production.rb
    │   │   └── [1.7K]  test.rb
    │   ├── [4.0K]  initializers
    │   │   ├── [ 486]  assets.rb
    │   │   ├── [ 404]  backtrace_silencers.rb
    │   │   ├── [ 129]  cookies_serializer.rb
    │   │   ├── [ 194]  filter_parameter_logging.rb
    │   │   ├── [ 647]  inflections.rb
    │   │   ├── [ 156]  mime_types.rb
    │   │   ├── [ 135]  session_store.rb
    │   │   └── [ 372]  wrap_parameters.rb
    │   ├── [4.0K]  locales
    │   │   └── [ 634]  en.yml
    │   ├── [  76]  routes.rb
    │   └── [ 964]  secrets.yml
    ├── [ 153]  config.ru
    ├── [4.0K]  db
    │   └── [ 343]  seeds.rb
    ├── [1.4K]  Gemfile
    ├── [4.1K]  Gemfile.lock
    ├── [4.0K]  log
    │   └── [   1]  development.log
    └── [4.0K]  public
        ├── [1.5K]  404.html
        ├── [1.5K]  422.html
        └── [1.4K]  500.html

18 directories, 44 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!