Neonify
A web application running Ruby on Rails which uses a weak regex that is able to be bypassed with a newline character which allows for server-side template injection.
Last updated
A web application running Ruby on Rails which uses a weak regex that is able to be bypassed with a newline character which allows for server-side template injection.
Last updated
Checking the website, we are greeted with a service that allows our input to be "neonified".
Checking the Dockerfile, we see that we're using Ruby so this is most likely a Ruby on Rails web service.
Checking the source code, we find that when we do a POST request, it gets the neon parameter from that request, and throws it into a regex which checks if its only alphanumeric. After that, it calls in ERB which is a templating language built for Ruby.
Looking for vulnerabilities on the source code, there's a StackOverflow post regarding the use of ^ and $ in regex. Basically, these two characters only match up to a newline character so when the application receives an input such as hello\n{malicious_input}, the malicious input will not be inspected by the regex.
What is instead recommended is to either use:
\A - which matches the beginning of the string.
\z which matches the end of a string.
\Z in some cases where you want to match the end of a string unless there's a newline character in which it'll try to match just before that.
We can see that in the code, it uses both ^ and $. Since this is being passed to an ERB function, we can then perform server-side template injection. HackTricks has a good article on how we can exploit SSTI for ERB on Ruby.
As a proof-of-concept, we'll send this payload which tries to read /etc/passwd.
test\n<%= File.open('/etc/passwd').read %>
test%0A%3C%25%3D+File%2Eopen%28%27%2Fetc%2Fpasswd%27%29%2Eread+%25%3ETesting it out, we see it works and we have code execution. It is now trivial to retrieve the flag.
