.:: Phrack Magazine ::.

[ News ]<br>[ Issues ]<br>[ Authors ]<br>[ Archives ]<br>[ Contact ]<br>[ Search ]

[ Close ]

Enter something in the search box to see results

-->

.:: Attacking Ruby on Rails Applications ::.

Issues :<br>[ 1 ]<br>[ 2 ]<br>[ 3 ]<br>[ 4 ]<br>[ 5 ]<br>[ 6 ]<br>[ 7 ]<br>[ 8 ]<br>[ 9 ]<br>[ 10 ]<br>[ 11 ]<br>[ 12 ]<br>[ 13 ]<br>[ 14 ]<br>[ 15 ]<br>[ 16 ]<br>[ 17 ]<br>[ 18 ]<br>[ 19 ]<br>[ 20 ]<br>[ 21 ]<br>[ 22 ]<br>[ 23 ]<br>[ 24 ]<br>[ 25 ]<br>[ 26 ]<br>[ 27 ]<br>[ 28 ]<br>[ 29 ]<br>[ 30 ]<br>[ 31 ]<br>[ 32 ]<br>[ 33 ]<br>[ 34 ]<br>[ 35 ]<br>[ 36 ]<br>[ 37 ]<br>[ 38 ]<br>[ 39 ]<br>[ 40 ]<br>[ 41 ]<br>[ 42 ]<br>[ 43 ]<br>[ 44 ]<br>[ 45 ]<br>[ 46 ]<br>[ 47 ]<br>[ 48 ]<br>[ 49 ]<br>[ 50 ]<br>[ 51 ]<br>[ 52 ]<br>[ 53 ]<br>[ 54 ]<br>[ 55 ]<br>[ 56 ]<br>[ 57 ]<br>[ 58 ]<br>[ 59 ]<br>[ 60 ]<br>[ 61 ]<br>[ 62 ]<br>[ 63 ]<br>[ 64 ]<br>[ 65 ]<br>[ 66 ]<br>[ 67 ]<br>[ 68 ]<br>[ 69 ]<br>[ 70 ]<br>[ 71 ]<br>[ 72 ]

Get tar.gz<br>Current issue : #69 | Release date : 2016-05-06 | Editor : The Phrack Staff

IntroductionThe Phrack Staff

Phrack Prophile on Solar DesignerThe Phrack Staff

Phrack World NewsThe Phrack Staff

Linenoisevarious

LoopbackThe Phrack Staff

The Fall of Hacker GroupsStrauss

Revisiting Mac OS X Kernel RootkitsfG!

Adobe Shockwave - A case study on memory disclosureaaron portnoy

Modern Objective-C Exploitation Techniquesnemo

Self-patching Microsoft XML with misalignments and factorialsAlisa Esage

Internet Votingkerrnel

Attacking Ruby on Rails Applicationsjoernchen

Obituary for an Adobe Flash Player bughuku

OR'LYEH? The Shadow over Firefoxargp

How to hide a hookuty & saman

International scenesvarious

Title : Attacking Ruby on Rails Applications

Author : joernchen

==Phrack Inc.==

Volume 0x0f, Issue 0x45, Phile #0x0c of 0x10

|=-----------------------------------------------------------------------=|<br>|=--------------=[ Attacking Ruby on Rails Applications ]=---------------=|<br>|=-----------------------------------------------------------------------=|<br>|=---------------------=[ joernchen of Phenoelit ]=----------------------=|<br>|=---------------------=[ [email protected] ]=----------------------=|<br>|=-----------------------------------------------------------------------=|

--[ Table of contents

0 - Intro<br>1 - A Brief Overview<br>1.1 - User input<br>1.1.1 - POST/PUT/GET application/x-www-form-urlencoded<br>1.1.2 - Multiparameter attributes<br>1.1.3 - POST/PUT text/xml<br>1.1.4 - POST/PUT application/json<br>1.1.5 - GET vs. POST/PUT<br>2 - Common pitfalls<br>2.1 - Sessions<br>2.2 - to_json / to_xml<br>2.3 - Code / Command Execution<br>2.3.1 - Classical OS Command Injection<br>2.3.2 - eval(user_input) and Friends<br>2.3.3 - Indirections<br>2.4 - Mass assignments<br>2.5 - Regular Expressions<br>2.6 - Renderers<br>2.7 - Routing<br>3 - My favourite technique - CVE-2013-3221<br>4 - Notes on Code Injection Payloads<br>5 - Greetz and "hacker","password"=>"happy"}

Lots of magic is involved within Rails' parameter parsing. POST parameters<br>encoded as application/x-www-form-urlencoded or regular GET parameters can<br>encode arrays like this:

user[]=Phrack&user[]=rulez

The resulting params hash is in this case:

params {"user" => ["Phrack","rulez"]}

Encoding sub-hashes in the params hash is also possible:

user[name]=hacker&user[password]=happy

The above will result in params being the following:

params = {"user"=>{"name"=>"hacker","password"=>"happy"}}

Besides strings with the basic GET/POST parameters it is also possible to<br>encode a Ruby nil value in this way:

user[name]

by leaving out the = and a value the resulting hash looks like:

params = {"user"=>{"name"=>nil}}

--[ 1.1.2 - Multiparameter attributes

When a single parameter has to carry multiple values in one attribute those<br>can be encoded in simple POST and GET requests as well. Those so called<br>multiparameters look like the following:

user[mulitparam(1)]=first_val&user[mulitparam(2)]=second_val&[...]<br>&user[mulitparam(n)]=nth_val

Also valid is a multiparameter assignment with a single parameter like:

user[name(1)]=HappyHacker

Internally the values (1)..(n) will be converted into an array and this<br>array will be assigned to the attribute. This is rarely to be seen in real<br>world code, however useful for instance when it comes to e.g. timestamps:

post[date(1)]=1985&post[date(2)]=11&post[date(3)]=17

Where the above example would assign year, month and day of the post[date]<br>parameter in a multiparameter attribute called date.

--[ 1.1.3 - POST/PUT text/xml

Besides the usual POST/PUT parameters Rails typically also understands XML<br>input. This however was removed within the Rails 4 release [1].

With XML encoded parameters there are various typecasting possibilities.<br>Here is an excerpt from the responsible parser<br>(rails/activesupport/lib/active_support/xml_mini.rb):

PARSING = {<br>"symbol" => Proc.new { |symbol| symbol.to_sym },<br>"date" => Proc.new { |date| ::Date.parse(date) },<br>"datetime" => Proc.new { |time| ::Time.parse(time).utc rescue<br>::DateTime.parse(time).utc },<br>"integer" => Proc.new { |integer| integer.to_i },<br>"float" => Proc.new { |float| float.to_f },<br>"decimal" => Proc.new { |number| BigDecimal(number) },<br>"boolean" => Proc.new { |boolean|<br>%w(1 true).include?(boolean.strip) },<br>"string" => Proc.new {...