0

I am trying to perform code execution in ruby eval() by first breaking out of string by injecting ("). The following code is used for injection.

myuser"%2B`[system('uname')]`%2B"

I am not recieving an error but the command between the backtick is not executing.

I am trying to inject into the username value below.

eval "\"Hello "+params['username']+"\""
Improve this question
6
  • 1
    I don't understand the question. What is myuser? What exactly are you running? What result do you get? What are you expecting/hoping for? Can you provide a minimal reproducible example of the problem? Commented Apr 29, 2018 at 22:40
  • I am trying inject some code like "system(hostname)" into the username parameter. "myuser" is some random string. Commented Apr 29, 2018 at 22:54
  • 2
    What's the context for this question? %2B means nothing to Ruby. Why is eval necessary here? Commented Apr 29, 2018 at 23:35
  • What is your questioln? Commented Apr 30, 2018 at 5:17
  • @AshwinGopalakrishnan If I understand correctly (??) you're asking "how do I trigger a system command via a string interpolation?" ... The answer is you can't, as this would be a gigantic security vulnerability if it were possible. (You could just enter "`system(rm -rf /)`" as the parameter!!!) If you want to trigger a system call, then you need to do this explicitly in the ruby code, and with great caution. Commented Apr 30, 2018 at 9:02

2 Answers 2

Reset to default
2

I'm not 100% sure of your use case, but I can tell you these:

system will run a shell command, and return success/failure, but won't save the results:

irb(main):001:0> x = system('uname')
Linux
=> true
irb(main):002:0> x
=> true

Backticks will run the shell command and save the output, but don't require the word system:

irb(main):003:0> x = `uname`
=> "Linux\n"
irb(main):004:0> x
=> "Linux\n"

(If you include "system" inside the backticks it will run "system" on the command line; usually not what you want)

Backticks alone don't do anything inside strings:

irb(main):005:0> "I am `uname`"
=> "I am `uname`"

But they will be expanded with #{} inside double quotes:

irb(main):006:0> "I am #{`uname`}"
=> "I am Linux\n"

But it's usually better to run the command first, check for errors, and then add it to the string, like

result = `uname`
# Check for errors here
output = "context #{result} more context"
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
eval "\"Hello "+params['username']+"\""

if this is the ruby code that runs in the server and if you want to perform code-injection , you can use the following payload.

myuser"+`uname`+"

But you need to URL-Encode the above payload if username param was retrieved via GET request.

Payload after URL-Encoding will be as follows 

myuser%22%2B%60uname%60%2B%22
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.