关联漏洞
描述
cve-2019-5420 POC simple ruby script
介绍
# Rails ActiveSupport Exploit (cve-2019-5420) POC
## POC Screenshot

## 🚨 Warning
This repository contains a **proof-of-concept (PoC) exploit** demonstrating **remote code execution (RCE)** in Ruby on Rails applications via `ActiveSupport::MessageVerifier` abuse. **Use responsibly!**
## 📌 Overview
This script exploits **ActiveSupport deserialization vulnerabilities** by leveraging a **crafted ERB object** wrapped in `DeprecatedInstanceVariableProxy`. When the signed payload is deserialized by a vulnerable Rails application, **arbitrary Ruby code execution** occurs.
## ⚠️ Disclaimer
This project is for **educational and research purposes only**. Unauthorized use against systems you do not own **is illegal** and may result in severe legal consequences.
## 🛠️ How It Works
### 1️⃣ Generate a Secret Key
- The script derives a `` from a known Rails application name using MD5 hashing.
### 2️⃣ Create an ActiveStorage Secret
- Uses `ActiveSupport::KeyGenerator` to generate a signing key.
### 3️⃣ Create a Malicious ERB Object
- Constructs an **uninitialized **``** object** with attacker-controlled code.
### 4️⃣ Wrap in `DeprecatedInstanceVariableProxy`
- Hides the malicious object within an **innocuous-looking wrapper**.
### 5️⃣ Sign and Generate an Exploit Token
- Uses `ActiveSupport::MessageVerifier` to **sign** the payload, making it appear legitimate.
### 6️⃣ Achieve Remote Code Execution (RCE)
- When deserialized, Rails **executes** the attacker's payload, allowing arbitrary command execution.
## 🚀 Usage
```bash
ruby POC.rb
```
The script will generate a **signed exploit token**, which can be used against a vulnerable Rails application.
## 🛡️ Mitigations
- **Rotate and secure **`` to prevent attackers from generating signed payloads.
- **Upgrade Rails** to the latest version (Rails 7+ has stricter serialization mechanisms).
- **Use JSON serialization** instead of Marshal serialization to avoid arbitrary object loading.
- **Audit application deserialization** to ensure untrusted user input is not being deserialized.
## 📜 Legal Disclaimer
This project is intended for educational purposes **only**. The author is **not responsible** for any misuse or damages caused by this code.
## 📚 References
- [Rails Security Guide](https://guides.rubyonrails.org/security.html)
- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)
---
⚠️ **Use at your own risk!**
文件快照
[4.0K] /data/pocs/da36cd28b8e35ac7f753e310f868ddabec5afdef
├── [ 53K] cve-2019-5420-POC_SCREENSHOT.png
├── [1.1K] LICENSE
├── [1.5K] POC.rb
└── [2.5K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。