POC详情: da36cd28b8e35ac7f753e310f868ddabec5afdef

来源
关联漏洞
标题: Ruby on Rails 安全特征问题漏洞 (CVE-2019-5420)
描述:Ruby on Rails是Rails团队的一套基于Ruby语言的开源Web应用框架。 Ruby on Rails中存在安全特征问题漏洞。远程攻击者可利用该漏洞在受影响的系统上执行任意代码。
描述
cve-2019-5420 POC simple ruby script
介绍
# Rails ActiveSupport Exploit (cve-2019-5420) POC


## POC Screenshot

![Screenshot](cve-2019-5420-POC_SCREENSHOT.png)


## 🚨 Warning

This repository contains a **proof-of-concept (PoC) exploit** demonstrating **remote code execution (RCE)** in Ruby on Rails applications via `ActiveSupport::MessageVerifier` abuse. **Use responsibly!**

## 📌 Overview

This script exploits **ActiveSupport deserialization vulnerabilities** by leveraging a **crafted ERB object** wrapped in `DeprecatedInstanceVariableProxy`. When the signed payload is deserialized by a vulnerable Rails application, **arbitrary Ruby code execution** occurs.

## ⚠️ Disclaimer

This project is for **educational and research purposes only**. Unauthorized use against systems you do not own **is illegal** and may result in severe legal consequences.

## 🛠️ How It Works

### 1️⃣ Generate a Secret Key

- The script derives a `` from a known Rails application name using MD5 hashing.

### 2️⃣ Create an ActiveStorage Secret

- Uses `ActiveSupport::KeyGenerator` to generate a signing key.

### 3️⃣ Create a Malicious ERB Object

- Constructs an **uninitialized **``** object** with attacker-controlled code.

### 4️⃣ Wrap in `DeprecatedInstanceVariableProxy`

- Hides the malicious object within an **innocuous-looking wrapper**.

### 5️⃣ Sign and Generate an Exploit Token

- Uses `ActiveSupport::MessageVerifier` to **sign** the payload, making it appear legitimate.

### 6️⃣ Achieve Remote Code Execution (RCE)

- When deserialized, Rails **executes** the attacker's payload, allowing arbitrary command execution.

## 🚀 Usage

```bash
ruby POC.rb
```

The script will generate a **signed exploit token**, which can be used against a vulnerable Rails application.

## 🛡️ Mitigations

- **Rotate and secure **`` to prevent attackers from generating signed payloads.
- **Upgrade Rails** to the latest version (Rails 7+ has stricter serialization mechanisms).
- **Use JSON serialization** instead of Marshal serialization to avoid arbitrary object loading.
- **Audit application deserialization** to ensure untrusted user input is not being deserialized.

## 📜 Legal Disclaimer

This project is intended for educational purposes **only**. The author is **not responsible** for any misuse or damages caused by this code.

## 📚 References

- [Rails Security Guide](https://guides.rubyonrails.org/security.html)
- [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html)

---

⚠️ **Use at your own risk!**

文件快照

[4.0K] /data/pocs/da36cd28b8e35ac7f753e310f868ddabec5afdef ├── [ 53K] cve-2019-5420-POC_SCREENSHOT.png ├── [1.1K] LICENSE ├── [1.5K] POC.rb └── [2.5K] README.md 0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。