CVE-2016-0752 PoC — Ruby on Rails Action View 目录遍历漏洞

Source

https://github.com/dachidahu/CVE-2016-0752

Associated Vulnerability

Title:Ruby on Rails Action View 目录遍历漏洞 (CVE-2016-0752)
Description:Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Readme

Exploiting CVE-2016-0752
---

This app serves as a vulnerable Proof of Concept for exploiting CVE-2016-0752. For more information refer to this [blog post](https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/), which explains the vulnerability, the steps required to exploit, the fix, and a link to a metasploit module.

Getting Started
---


    echo "" > log/development.log # Clear out the log file
    rvm use 2.2.3
    bundle
    rails s

Vulnerable URL: http://localhost/users/dashboard

File Snapshot


 [4.0K]  /data/pocs/cd627987ef18476195e58f83c252f17aacde417e
├── [4.0K]  app
│   ├── [4.0K]  assets
│   │   ├── [4.0K]  images
│   │   ├── [4.0K]  javascripts
│   │   │   ├── [ 664]  application.js
│   │   │   └── [ 211]  welcome.js.coffee
│   │   └── [4.0K]  stylesheets
│   │       ├── [ 546]  application.css
│   │       └── [ 178]  welcome.css.scss
│   ├── [4.0K]  controllers
│   │   ├── [ 204]  application_controller.rb
│   │   ├── [4.0K]  concerns
│   │   ├── [  84]  user_controller.rb
│   │   └── [  70]  welcome_controller.rb
│   ├── [4.0K]  helpers
│   │   ├── [  29]  application_helper.rb
│   │   └── [  25]  welcome_helper.rb
│   ├── [4.0K]  mailers
│   ├── [4.0K]  models
│   │   └── [4.0K]  concerns
│   └── [4.0K]  views
│       ├── [4.0K]  admin
│       │   ├── [   5]  _admin.html.erb
│       │   └── [  23]  dashboard.html.erb
│       ├── [4.0K]  layouts
│       │   └── [ 298]  application.html.erb
│       ├── [4.0K]  user
│       │   ├── [  18]  dashboard.html.erb
│       │   ├── [  12]  public.html.erb
│       │   └── [  16]  show.html.erb
│       └── [4.0K]  welcome
│           └── [ 244]  index.html.erb
├── [4.0K]  bin
│   ├── [ 129]  bundle
│   ├── [ 146]  rails
│   └── [  90]  rake
├── [4.0K]  config
│   ├── [ 979]  application.rb
│   ├── [ 170]  boot.rb
│   ├── [ 576]  database.yml
│   ├── [ 154]  environment.rb
│   ├── [4.0K]  environments
│   │   ├── [1.1K]  development.rb
│   │   ├── [3.2K]  production.rb
│   │   └── [1.5K]  test.rb
│   ├── [4.0K]  initializers
│   │   ├── [ 404]  backtrace_silencers.rb
│   │   ├── [ 194]  filter_parameter_logging.rb
│   │   ├── [ 647]  inflections.rb
│   │   ├── [ 205]  mime_types.rb
│   │   ├── [ 662]  secret_token.rb
│   │   ├── [ 145]  session_store.rb
│   │   └── [ 517]  wrap_parameters.rb
│   ├── [4.0K]  locales
│   │   └── [ 634]  en.yml
│   └── [ 121]  routes.rb
├── [ 154]  config.ru
├── [4.0K]  db
│   └── [ 343]  seeds.rb
├── [1.1K]  Gemfile
├── [2.7K]  Gemfile.lock
├── [4.0K]  lib
│   ├── [4.0K]  assets
│   └── [4.0K]  tasks
├── [4.0K]  log
├── [4.0K]  public
│   ├── [1.3K]  404.html
│   ├── [1.3K]  422.html
│   ├── [1.2K]  500.html
│   ├── [   0]  favicon.ico
│   └── [ 202]  robots.txt
├── [ 253]  Rakefile
├── [ 518]  README.md
├── [4.0K]  test
│   ├── [4.0K]  controllers
│   │   └── [ 164]  welcome_controller_test.rb
│   ├── [4.0K]  fixtures
│   ├── [4.0K]  helpers
│   │   └── [  74]  welcome_helper_test.rb
│   ├── [4.0K]  integration
│   ├── [4.0K]  mailers
│   ├── [4.0K]  models
│   └── [ 492]  test_helper.rb
└── [4.0K]  vendor
    └── [4.0K]  assets
        ├── [4.0K]  javascripts
        └── [4.0K]  stylesheets

38 directories, 49 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!