POC详情: 3ec4dedb519ffa709814880094d3c87c84df3c33

来源
https://github.com/yoryio/CVE-2023-7028
关联漏洞
标题: GitLab 安全漏洞 (CVE-2023-7028)
描述:GitLab是美国GitLab公司的一个开源的端到端软件开发平台,具有内置的版本控制、问题跟踪、代码审查、CI/CD(持续集成和持续交付)等功能。 GitLab 存在安全漏洞,该漏洞源于用户帐户密码重置电子邮件可能会发送到未经验证的电子邮件地址。
描述
Exploit for CVE-2023-7028
介绍
# CVE-2023-7028

⚠️ This exploit is for defensive purposes and should be used by cybersecurity professionals to identify possible vulnerable GitLab servers.

# Description

### CVE-2023-7028 - Account Takeover via Password Reset without user interactions in GitLab Community Edition and Enterprise Edition

![gitlablogo](https://upload.wikimedia.org/wikipedia/commons/e/e1/GitLab_logo.svg)

*Products and Versions affected:*

| Product                           | Affected Versions                                        |
| :-------------------------------- | :------------------------------------------------------- |
| GitLab Community Edition and Enterprise Edition | < 16.1.6 <br /> < 16.2.9<br /> < 16.3.7 <br /> < 16.4.5 <br /> < 16.5.6 <br /> < 16.6.4 <br /> < 16.7.2 |

- **CVSS:** 10.0
- **Actively Exploited:** NO
- **Patch:** [YES](https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/)
- **Mitigation:** NO

# Help

```
usage: CVE-2023-7028.py [-h] -u URL -t TARGET -a ATTACKER

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     GitLab URL (HTTP or HTTPS)
  -t TARGET, --target TARGET
                        Target email address
  -a ATTACKER, --attacker ATTACKER
                        Attacker email address
```

**Example:** `python CVE-2023-7028.py -u https://gitlab.example.com -t admin@example.com -a attacker@notexample.com`

# Lab

You can use Try Hack Me's Room [GitLab CVE-2023-7028](https://tryhackme.com/room/gitlabcve20237028) to test the exploit because it runs a vulnerable version affected by CVE-2023-7028.

# Vision of GitLab Servers by SHADOWSERVER:

![map2](https://github.com/yoryio/CVE-2023-7028/assets/134471901/6140f105-bee0-4bee-b07c-2003c1f0d9a7)

# References

- [GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 ](https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/)
- [Over 5,300 GitLab servers exposed to zero-click account takeover attacks](https://www.bleepingcomputer.com/news/security/over-5-300-gitlab-servers-exposed-to-zero-click-account-takeover-attacks/)
- [Shadowserver GitLab Statistics](https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2024-01-23&source=http_vulnerable&source=http_vulnerable6&tag=cve-2023-7028%2B&geo=all&data_set=count&scale=log)
- [CVE-2023-7028 - AttackerKB](https://attackerkb.com/topics/VBDvNxhyjr/cve-2023-7028)
文件快照

 [4.0K]  /data/pocs/3ec4dedb519ffa709814880094d3c87c84df3c33
├── [1.2K]  CVE-2023-7028.py
└── [2.4K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。