From 004fdfd467d849f2422c7aebbada8776005a8158 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 27 Apr 2022 05:01:59 +0000 Subject: [PATCH] DB: 2022-04-27 4 changes to exploits/shellcodes 7-zip - Code Execution / Local Privilege Escalation Gitlab 14.9 - Authentication Bypass GitLab 14.9 - Stored Cross-Site Scripting (XSS) --- exploits/ruby/webapps/50888.txt | 17 +++++++++++++++++ exploits/ruby/webapps/50889.txt | 19 +++++++++++++++++++ exploits/windows/local/50883.txt | 22 ---------------------- files_exploits.csv | 3 ++- 4 files changed, 38 insertions(+), 23 deletions(-) create mode 100644 exploits/ruby/webapps/50888.txt create mode 100644 exploits/ruby/webapps/50889.txt delete mode 100644 exploits/windows/local/50883.txt diff --git a/exploits/ruby/webapps/50888.txt b/exploits/ruby/webapps/50888.txt new file mode 100644 index 000000000..de9ff0160 --- /dev/null +++ b/exploits/ruby/webapps/50888.txt @@ -0,0 +1,17 @@ +# Exploit Title: Gitlab 14.9 - Authentication Bypass +# Date: 12/04/2022 +# Exploit Authors: Greenwolf & stacksmashing +# Vendor Homepage: https://about.gitlab.com/ +# Software Link: https://about.gitlab.com/install +# Version: GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 +# Tested on: Linux +# CVE : CVE-2022-1162 +# References: https://github.com/Greenwolf/CVE-2022-1162 + +A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. + +Exploit: + +New Gitlab Accounts (created since the first affect version and if Gitlab is before the patched version) can be logged into with the following password: + +123qweQWE!@#000000000 \ No newline at end of file diff --git a/exploits/ruby/webapps/50889.txt b/exploits/ruby/webapps/50889.txt new file mode 100644 index 000000000..443839f0b --- /dev/null +++ b/exploits/ruby/webapps/50889.txt @@ -0,0 +1,19 @@ +# Exploit Title: Gitlab Stored XSS +# Date: 12/04/2022 +# Exploit Authors: Greenwolf & stacksmashing +# Vendor Homepage: https://about.gitlab.com/ +# Software Link: https://about.gitlab.com/install +# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 +# Tested on: Linux +# CVE : CVE-2022-1175 +# References: https://github.com/Greenwolf/CVE-2022-1175 + +Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor. + +Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though. + +

+
+Standard script include also works depending on the sites CSP policy. This is more stealthy.
+
+

\ No newline at end of file
diff --git a/exploits/windows/local/50883.txt b/exploits/windows/local/50883.txt
deleted file mode 100644
index 836ce762b..000000000
--- a/exploits/windows/local/50883.txt
+++ /dev/null
@@ -1,22 +0,0 @@
-# Exploit Title: 7-zip - Code Execution / Local Privilege Escalation
-# Exploit Author:  Kağan Çapar
-# Date: 2020-04-12
-# Vendor homepage: https://www.7-zip.org/
-# Software link: https://www.7-zip.org/a/7z2107-x64.msi
-# Version: 21.07 and all versions
-# Tested On: Windows 10 Pro (x64)
-# References: https://github.com/kagancapar/CVE-2022-29072
-
-# About:
-7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.
-
-# Proof of Concept:
-
-
-
-
-
-
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 11ec16017..3ea65bef8 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11479,7 +11479,6 @@ id,file,description,date,author,type,platform,port
 50859,exploits/windows/local/50859.txt,"MiniTool Partition Wizard - Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows,
 50867,exploits/windows/local/50867.txt,"Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
 50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
-50883,exploits/windows/local/50883.txt,"7-zip - Code Execution / Local Privilege Escalation",1970-01-01,"Kağan Çapar",local,windows,
 50885,exploits/windows/local/50885.txt,"PTPublisher v2.3.4 - Unquoted Service Path",1970-01-01,bios,local,windows,
 50886,exploits/windows/local/50886.txt,"EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path",1970-01-01,bios,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
@@ -44953,3 +44952,5 @@ id,file,description,date,author,type,platform,port
 50881,exploits/php/webapps/50881.txt,"PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)",1970-01-01,"Hemant Kashyap",webapps,php,
 50882,exploits/php/webapps/50882.py,"WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,AkuCyberSec,webapps,php,
 50884,exploits/php/webapps/50884.txt,"Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)",1970-01-01,"Ali J",webapps,php,
+50888,exploits/ruby/webapps/50888.txt,"Gitlab 14.9 - Authentication Bypass",1970-01-01,Greenwolf,webapps,ruby,
+50889,exploits/ruby/webapps/50889.txt,"GitLab 14.9 - Stored Cross-Site Scripting (XSS)",1970-01-01,Greenwolf,webapps,ruby,