WeChall - Railsbin
Challenge
Railsbin (Exploit) — score 3, by gizmore.
The project named "railsbin" is open source, but has a few security problems. Can you exploit the demo site? The solution is the password hash of user solution.
Railsbin 是一个开源 Ruby on Rails pastebin demo。源码在 gizmore/railsbin。目标是得到用户
solution 的 bcrypt password hash。
Solution
源码审计发现 UsersController#index 有一个漏洞:
1 | # app/controllers/users_controller.rb:8 |
将 encrypted_password(bcrypt hash)复制到虚拟属性
password 上。JSON view 直接序列化暴露:
1 | # app/views/users/index.json.jbuilder |
无需认证,直接请求:
1 | GET https://railsbin.wechall.net/users.json |
返回所有用户的完整 bcrypt hash,包括 solution 用户:
1 | { |