Try searching for "ruby deserialization gadget chain" online.
Lab: Exploiting Ruby deserialization using a documented gadget chain
This lab uses a serialization-based session mechanism and the Ruby on Rails framework. There are documented exploits that enable remote code execution via a gadget chain in this framework.
To solve the lab, find a documented exploit and adapt it to create a malicious serialized object containing a remote code execution payload. Then, pass this object into the website to delete the
morale.txt file from Carlos's home directory.
You can log in to your own account using the following credentials: wiener:peter
- Log in to your own account and notice that the session cookie contains a serialized ("marshaled") Ruby object. Send a request containing this session cookie to Burp Repeater.
Browse the web to find the
Universal Deserialisation Gadget for Ruby 2.x-3.xby
devcraft.io. Copy the final script for generating the payload.
Modify the script as follows:
Change the command that should be executed from
Replace the final two lines with
puts Base64.encode64(payload). This ensures that the payload is output in the correct format for you to use for the lab.
- Change the command that should be executed from
- Run the script and copy the resulting Base64-encoded object.
- In Burp Repeater, replace your session cookie with the malicious one that you just created, then URL encode it.
- Send the request to solve the lab.