Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to resolve the CVE-2019-5418 vulnerability based on Ruby on Rails

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Share

Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to analyze the CVE-2019-5418 vulnerability based on Ruby on Rails, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Introduction to 0x00

Ruby on Rails is a Web application framework and a relatively new Web application framework built on the Ruby language. It is billed as an alternative to the existing enterprise framework, and its goal is to make life easier in Web development.

Overview of 0x01 vulnerabilities

This vulnerability is mainly due to the fact that Ruby on Rails uses render file with specified parameters to render views outside the application. We can modify the request package to access a controller, achieve the purpose of path crossing through ".. /", and then close the template query path through "{", so that the file to be accessed is parsed as an external template.

0x02 affects version

Full version of Rails

The fixed version is:

Rails 6.0.0.beta3,5.2.2.1,5.1.6.2,5.0.7.2,4.2.11.1

0x03 environment building

Build on your own:

Use vulhub to build directly

Git clone https://github.com/vulhub/vulhub.gitcd / vulhub/rails/CVE-2019-5418docker-compose up-d

Visit http://ip:3000 and you can see

0x04 vulnerability exploitation

Request robots,Burp to grab the package.

Modify the Accept parameter to any file address, such as:

.. /.. / etc/passwd {{

For other exploits, use the attack module in msf:

After reading the above, do you have any further understanding of how to resolve the Ruby on Rails-based CVE-2019-5418 vulnerability? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Internet Technology

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report