Skip to content

Commit

Permalink
Land rapid7#19381, Fix gitlab_login scanner
Browse files Browse the repository at this point in the history
This fixes the gitlab_login scanner so that it uses the proper datastore
options Username and Password which are the standard for login scanners.
Before this fix the scanner was using HttpUsername and HttpPassword and
ignoring the datastore options Username and Password
  • Loading branch information
jheysel-r7 committed Aug 30, 2024
2 parents b77b640 + 38b9278 commit f951f25
Show file tree
Hide file tree
Showing 2 changed files with 104 additions and 19 deletions.
87 changes: 87 additions & 0 deletions documentation/modules/auxiliary/scanner/http/gitlab_login.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
## Vulnerable Application

This module was successfully tested on:

* gitlab-ce (v17.2.2-ce.0) installed with Docker on Kali Linux 6.6.15

### Description

This module is a brute-force login scanner that attempts to authenticate to the GitLab with username and password combinations.

## Installation (latest version of gitlab-ce at the time of this writing)

1. `docker pull gitlab/gitlab-ce:17.2.2-ce.0`
2. `sudo mkdir -p /srv/gitlab/config /srv/gitlab/logs /srv/gitlab/data`
3. Run the GitLab.
```
docker run --detach \
--hostname localhost \
--publish 443:443 --publish 80:80 --publish 22:22 \
--name gitlab \
--restart always \
--volume /srv/gitlab/config:/etc/gitlab \
--volume /srv/gitlab/logs:/var/log/gitlab \
--volume /srv/gitlab/data:/var/opt/gitlab \
gitlab/gitlab-ce:17.2.2-ce.0
```
4. (Get initial password)
`docker exec gitlab cat etc/gitlab/initial_root_password | grep Password:`

## Verification Steps

1. Install GitLab and start it
2. Start `msfconsole`
3. Do: `use auxiliary/scanner/http/gitlab_login`
4. Do: `set rhosts`
5. Do: set usernames and passwords via the `username` and `password` options, or pass a list via `user_file` and `pass_file` options
5. Do: `run`
6. You will hopefully see something similar to:

```
[+] 192.168.56.6:80 - Login Successful: root:strongpasswordcannotguess
```

## Options

## Scenarios

### Single set of credentials being passed
```
msf6 > use auxiliary/scanner/http/gitlab_login
msf6 auxiliary(scanner/http/gitlab_login) > run rhosts=192.168.56.6 username=root password=strongpasswordcannotguess
[*] 192.168.56.6:80 - GitLab v7 login page
[!] No active DB -- Credential data will not be saved!
[+] 192.168.56.6:80 - Login Successful: root:strongpasswordcannotguess
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

### Multiple credentials being passed
```
msf6 > use auxiliary/scanner/http/gitlab_login
msf6 auxiliary(scanner/http/gitlab_login) > run rhosts=192.168.56.6 user_file=/tmp/user.txt pass_file=/tmp/pass.txt
[*] 192.168.56.6:80 - GitLab v7 login page
[!] No active DB -- Credential data will not be saved!
[-] 192.168.56.6:80 - LOGIN FAILED: root:123456 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: root:123456789 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: root:picture1 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: root:password (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: root:12345678 (Incorrect)
[+] 192.168.56.6:80 - Login Successful: root:strongpasswordcannotguess
[-] 192.168.56.6:80 - LOGIN FAILED: admin:123456 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: admin:123456789 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: admin:picture1 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: admin:password (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: admin:12345678 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: admin:strongpasswordcannotguess (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: test:123456 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: test:123456789 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: test:picture1 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: test:password (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: test:12345678 (Incorrect)
[-] 192.168.56.6:80 - LOGIN FAILED: test:strongpasswordcannotguess (Incorrect)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
36 changes: 17 additions & 19 deletions modules/auxiliary/scanner/http/gitlab_login.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,47 +14,45 @@ class MetasploitModule < Msf::Auxiliary

def initialize
super(
'Name' => 'GitLab Login Utility',
'Name' => 'GitLab Login Utility',
'Description' => 'This module attempts to login to a GitLab instance using a specific user/pass.',
'Author' => [ 'Ben Campbell' ],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://labs.f-secure.com/archive/gitlab-user-enumeration/']
]
'Author' => [ 'Ben Campbell' ],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://labs.f-secure.com/archive/gitlab-user-enumeration/']
]
)

register_options(
[
Opt::RPORT(80),
OptString.new('HttpUsername', [ true, 'The username to test', 'root' ]),
OptString.new('HttpPassword', [ true, 'The password to test', '5iveL!fe' ]),
OptString.new('TARGETURI', [true, 'The path to GitLab', '/'])
])
]
)

register_autofilter_ports([ 80, 443 ])
end

def run_host(ip)
uri = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')
res = send_request_cgi(
'method' => 'GET',
'cookie' => 'request_method=GET',
'uri' => uri
'method' => 'GET',
'cookie' => 'request_method=GET',
'uri' => uri
)

if res && res.body && res.body.include?('user[email]')
vprint_status("GitLab v5 login page")
vprint_status('GitLab v5 login page')
elsif res && res.body && res.body.include?('user[login]')
vprint_status("GitLab v7 login page")
vprint_status('GitLab v7 login page')
else
vprint_error('Not a valid GitLab login page')
return
end

cred_collection = build_credential_collection(
username: datastore['HttpUsername'],
password: datastore['HttpPassword']
username: datastore['USERNAME'],
password: datastore['PASSWORD']
)

scanner = Metasploit::Framework::LoginScanner::GitLab.new(
Expand All @@ -70,8 +68,8 @@ def run_host(ip)
scanner.scan! do |result|
credential_data = result.to_h
credential_data.merge!(
module_fullname: fullname,
workspace_id: myworkspace_id
module_fullname: fullname,
workspace_id: myworkspace_id
)
if result.success?
credential_core = create_credential(credential_data)
Expand Down

0 comments on commit f951f25

Please sign in to comment.