enoy19/Gitlab CVE-2023-7028 production_json.log scanner.md

## Gitlab CVE-2023-7028 production_json.log scanner.md

      
    Raw
  

              Gitlab CVE-2023-7028 production_json.log scanner.md
            
          
    Prerequisites


jq

How to use

$ ./scan.sh production_json.log

Example Output:
Email count in prodlogs/production_json.log.0: 2
Emails:
admin@example.com
badperson@malicious.com
Time:
2024-01-15T13:37:00.420Z
-------------------------
Email count in prodlogs/production_json.log.1: 2
Emails:
admin@example.com
hacker@192.X.X.X
Time:
2024-01-14T01:00:03.000Z
-------------------------
Email count in prodlogs/production_json.log.1: 2
Emails:
admin@local.host
bob@bobsmailserver.com
Time:
2024-01-14T00:00:00.000Z
-------------------------

You should extract all logs (gitlab-rails/production_json.log.*.gz) and scan them all
Move the logs into it's own directory and run:
$ ./scan.sh prodlogs/production_json.log.*


## scan.sh
#!/bin/bash

# Check if jq is installed
if ! command -v jq &> /dev/null
then
    echo "jq could not be found, please install it to run this script."
    exit 1
fi

# Check if at least one file is provided
if [ $# -eq 0 ]; then
    echo "No files provided. Usage: $0 file1 [file2 ...]"
    exit 1
fi

# Iterate over each file passed as an argument
for FILE_NAME in "$@"
do
    # Check if the file exists
    if [ ! -f "$FILE_NAME" ]; then
        echo "File not found: $FILE_NAME"
        continue
    fi

    # Iterate over each line in the file
    while IFS= read -r line
    do
        # Use jq to count emails in the params array where key is "user"
        email_count=$(echo "$line" | jq '.params[] | select(.key == "user") | .value.email | length')

        # Print the count if it is not an empty string
        if [ -n "$email_count" ]; then
            if [ "$email_count" -gt 1 ]; then
                echo "Email count in $FILE_NAME: $email_count"
                echo "Emails:"
                echo "$line" | jq -r '.params[] | select(.key == "user") | .value.email[]'
                echo "Time:"
                echo "$line" | jq -r '.time'
                echo "-------------------------"
            fi
        fi
    done < "$FILE_NAME"
done
	#!/bin/bash

	# Check if jq is installed
	if ! command -v jq &> /dev/null
	then
	echo "jq could not be found, please install it to run this script."
	exit 1
	fi

	# Check if at least one file is provided
	if [ $# -eq 0 ]; then
	echo "No files provided. Usage: $0 file1 [file2 ...]"
	exit 1
	fi

	# Iterate over each file passed as an argument
	for FILE_NAME in "$@"
	do
	# Check if the file exists
	if [ ! -f "$FILE_NAME" ]; then
	echo "File not found: $FILE_NAME"
	continue
	fi

	# Iterate over each line in the file
	while IFS= read -r line
	do
	# Use jq to count emails in the params array where key is "user"
	email_count=$(echo "$line" \| jq '.params[] \| select(.key == "user") \| .value.email \| length')

	# Print the count if it is not an empty string
	if [ -n "$email_count" ]; then
	if [ "$email_count" -gt 1 ]; then
	echo "Email count in $FILE_NAME: $email_count"
	echo "Emails:"
	echo "$line" \| jq -r '.params[] \| select(.key == "user") \| .value.email[]'
	echo "Time:"
	echo "$line" \| jq -r '.time'
	echo "-------------------------"
	fi
	fi
	done < "$FILE_NAME"
	done