CVE-2022-2185 PoC — GitLab 操作系统命令注入漏洞

Source

https://github.com/ESUAdmin/CVE-2022-2185

Associated Vulnerability

Title:GitLab 操作系统命令注入漏洞 (CVE-2022-2185)
Description:GitLab是美国GitLab公司的一个开源的端到端软件开发平台，具有内置的版本控制、问题跟踪、代码审查、CI/CD（持续集成和持续交付）等功能。 GitLab 存在操作系统命令注入漏洞，该漏洞源于未经授权的用户可能使用以下命令在服务器上执行任意代码项目导入功能。以下产品版本受到影响：14.10.5 之前的 14.0、15.0.4 之前的 15.0 和 15.1.1 之前的 15.1 开始的所有版本。

Description

wo ee cve-2022-2185 gitlab authenticated rce

Readme

# CVE-2022-2185
wo ee cve-2022-2185 gitlab authenticated rce

read: https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-2022-2185/

## how to use

First spawn a gitlab instance. Log in, create a group and project with a unique name. Create an access token.

Edit these lines in main.go and compile it:

```go
const importProjectName = "projectwtf"
const runCmd = "/bin/sleep inf"
const proxyTo = "http://localhost:8000/"
```

This mitm runs on `*:8100`. Expose it to the Internet.

Log in to target server. Navigate to create a group - import and enter the local server details. When you are going to import, intercept the request and change it:

- `source_type` to `project_entity`
- `source_full_path` to `your_group/your_project`
- if `destination_namespace` is empty, change it to any non-empty name
- `destination_name` is not empty by design

Pass the modified request to server. Wait 255s to get rce.

Note: the command may be run multiple times.

File Snapshot


 [4.0K]  /data/pocs/4012708c475a5a3e085daa08d716906b23702151
├── [2.1K]  main.go
└── [ 974]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!