关联漏洞
标题:
GitLab 代码注入漏洞
(CVE-2021-22205)
描述:GitLab是美国GitLab公司的一个开源的端到端软件开发平台,具有内置的版本控制、问题跟踪、代码审查、CI/CD(持续集成和持续交付)等功能。 Gitlab Community Edition 存在代码注入漏洞,该漏洞源于图像解析器在处理图像文件时输入验证不正确。以下产品及版本受到影响::Gitlab Community Edition: 11.9.0, 11.9.1, 11.9.2, 11.9.3, 11.9.4, 11.9.5, 11.9.6, 11.9.7, 11.9.8, 11.9.9, 11
描述
A CVE-2021-22205 Gitlab RCE POC written in Golang
介绍
# Golang-CVE-2021-22205-POC
A bare bones CVE-2021-22205 Gitlab RCE POC written in Golang which affects Gitlab CE/EE < 13.10.3 Gitlab CE/EE < 13.9.6 Gitlab CE/EE < 13.8.8.
I've been wanting to learn Golang for a while. I decided to write a POC for CVE-2021-22205 in Golang to help familiarize myself with the language. Please disregard what I am assuming is horribly written code.
Usage: ```go run CVE-2021-22205.go -t http://127.0.0.1:8080 -c "echo pizza > /tmp/pizza.txt"```
Where the t flag specifies the target Gitlab instance and the c flag is the command you want to run.
The script is setup to use http://localhost:9090 as a proxy. You'll need to delete that, if you don't want to use a proxy.
A vulnerable docker setup can be found here:
https://github.com/vulhub/vulhub/tree/master/gitlab/CVE-2021-22205
CVE Finder Writeup:
https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
文件快照
[4.0K] /data/pocs/87537122cc2253ebcb50ed640d6ed1990950ccb2
├── [4.0K] CVE-2021-22205.go
└── [ 922] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。