关联漏洞
标题:
GitLab 路径遍历漏洞
(CVE-2020-10977)
描述:GitLab是美国GitLab公司的一款使用Ruby on Rails开发的、自托管的、Git(版本控制系统)项目仓库应用程序。该程序可用于查阅项目的文件内容、提交历史、Bug列表等。 GitLab(企业版和社区版)12.9之前版本中存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
描述
cve-2020-10977 read and execute
介绍
# CVE-2020-10977 read and execute
## About CVE-2020-10977
- HackerOne Report: https://hackerone.com/reports/827052
- Exploit-DB: https://www.exploit-db.com/exploits/48431
- How to reproduce excecution part manually: [From reading to execution](from-reading-to-execution.md)
## About this repository
- `get_secret.py` - main script. It uses thewhiteh4t's code to exploit cve-2020-10977 at the first time and hook a `secret_key_base` from given repository. Then it launch `cookie_maker.sh` to generate cookie with payload.
Usege: python get_secret.py http://gitlab.vh foo gfhjkm123
- `cookie_maker.sh` - lauchs docker and generates malicious cookie. Can be used standalone.
Usage: cookie_maker.sh <secret_key_base> "echo /etc/passwd > /tmp/owned"
### Dependencies
- Docker
### Submodules
- [cve-2020-10977](cve-2020-10977/cve_2020_10977.py) - submodule by [thewhiteh4t](https://github.com/thewhiteh4t/cve-2020-10977)
## Creds
Based on thewhiteh4t's repository: https://github.com/thewhiteh4t/cve-2020-10977
## Warning
It ~~can~~ should contain bugs. If `get_secret.py` ended up correctly but no cookies it output - run it again.
文件快照
[4.0K] /data/pocs/af40efbaebe331e251fd2b87a4974c8abc891399
├── [2.0K] cookie_maker.sh
├── [4.0K] cve-2020-10977
├── [3.2K] from-reading-to-execution.md
├── [2.5K] get_secret.py
└── [1.1K] README.md
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。