first commit

gitlab/CVE-2016-9086/README.md

@@ -0,0 +1,35 @@
+# GitLab Arbitrary File Disclosure (CVE-2016-9086)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GitLab is a web-based DevOps lifecycle tool that provides a Git repository manager providing wiki, issue-tracking and continuous integration and deployment pipeline features.
+
+Jobert Abma from HackerOne disclosed a critical security flaw in the "import/export project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users.
+
+This feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users. Please see the issue for more details.
+
+References:
+
+- https://about.gitlab.com/releases/2016/11/02/cve-2016-9086-patches/
+- https://hackerone.com/reports/178152
+- http://paper.seebug.org/104/
+
+## Vulnerable environment
+
+Execute following command to start a GitLab Community Server 8.13.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse the `http://your-ip:8080` to see the website, the credentials of default administrator account are `root` and `vulhub123456`.
+
+## Exploit
+
+Signup and signin an account, then click the "GitLab export" button on the project creation page:
+
+![](2.png)
+
+Uploaded the file [test.tar.gz](test.tar.gz), and the file `/etc/passwd` is disclosed:
+
+![](1.png)

gitlab/CVE-2016-9086/README.zh-cn.md

@@ -0,0 +1,31 @@
+# GitLab 任意文件读取漏洞（CVE-2016-9086）
+
+GitLab是一款Ruby开发的Git项目管理平台。在8.9版本后添加的“导出、导入项目”功能，因为没有处理好压缩包中的软连接，已登录用户可以利用这个功能读取服务器上的任意文件。
+
+参考链接：
+
+- https://about.gitlab.com/releases/2016/11/02/cve-2016-9086-patches/
+- https://hackerone.com/reports/178152
+- http://paper.seebug.org/104/
+
+## 测试环境
+
+执行如下命令启动一个GitLab Community Server 8.13.1：
+
+```
+docker compose up -d
+```
+
+环境运行后，访问`http://your-ip:8080`即可查看GitLab主页，其ssh端口为10022，默认管理员账号、密码是`root`、`vulhub123456`。
+
+> 注意，请使用2G及以上内存的VPS或虚拟机运行该环境，实测1G内存的机器无法正常运行GitLab（运行后502错误）。
+
+## 漏洞复现
+
+注册并登录用户，新建一个项目，点击`GitLab export`：
+
+![](2.png)
+
+在导入页面，将[test.tar.gz](test.tar.gz)上传，将会读取到`/etc/passwd`文件内容：
+
+![](1.png)

gitlab/CVE-2016-9086/docker-compose.yml

@@ -0,0 +1,38 @@
+version: '2'
+
+services:
+  redis:
+    image: redis:4.0.14-alpine
+
+  postgresql:
+    image: postgres:11.9-alpine
+    environment:
+    - POSTGRES_USER=gitlab
+    - POSTGRES_PASSWORD=password
+    - POSTGRES_DB=gitlabhq_production
+    - DB_EXTENSION=pg_trgm
+    volumes:
+    - ./load-extensions.sh:/docker-entrypoint-initdb.d/load-extensions.sh
+
+  gitlab:
+    image: vulhub/gitlab:8.13.1
+    depends_on:
+    - redis
+    - postgresql
+    ports:
+    - "8080:80"
+    - "10022:22"
+    environment:
+    - DEBUG=false
+    - GITLAB_PORT=8080
+    - GITLAB_SSH_PORT=10022
+    - GITLAB_SECRETS_DB_KEY_BASE=secret-key-is-here1
+    - GITLAB_SECRETS_SECRET_KEY_BASE=secret-key-is-here2
+    - GITLAB_SECRETS_OTP_KEY_BASE=secret-key-is-here3
+    - DB_ADAPTER=postgresql
+    - DB_HOST=postgresql
+    - DB_USER=gitlab
+    - DB_PASS=password
+    - DB_NAME=gitlabhq_production
+    - REDIS_HOST=redis
+    - GITLAB_ROOT_PASSWORD=vulhub123456

gitlab/CVE-2016-9086/load-extensions.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# You could probably do this fancier and have an array of extensions
+# to create, but this is mostly an illustration of what can be done
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<EOF
+    create extension pg_trgm;
+    select * FROM pg_extension;
+EOF