HTB_cat

linux(Med)

总结

user.txt：

代码审计(xss反弹cookie->sql盲注)

root.txt：

端口转发->敏感文件内容泄露->gitea-xss

由于session容易失效，且sqlmap爆破有点慢，所以最好弄个python脚本自动化完成这部分(xss->文件上传->sqlmap)

后台的py是这样的，尝试提取邮件文件中的url，并访问

...
deflogin_and_navigate_urls():
    driver.delete_all_cookies()
    wait = WebDriverWait(driver, 10)
    login_url = "http://localhost:3000/user/login"
    url_pattern = r'(https?://[^s]+)'
    urls = []

try:
withopen('/var/mail/jobert', 'r') as mail_file:
for line in mail_file:
                found_urls = re.findall(url_pattern, line)
                urls.extend(found_urls)
print(found_urls)
except FileNotFoundError:
pass

   ...
for url in urls:
try:
            driver.get(url)
            wait.until(EC.presence_of_element_located((By.TAG_NAME, "body")))
            sleep(5)
            wait.until(EC.presence_of_element_located((By.CSS_SELECTOR, ".repo-description > a"))).click()
            sleep(5)
except Exception as e:
print(e)

参考

wp: Ne_O师傅

https://github.com/arthaud/git-dumper

pip install git-dumper

https://www.exploit-db.com/exploits/52077

## Steps to Reproduce
1. Log in to the application.
2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$repo_name/settings` endpoint.
3. In the Description field, input the following payload:

    <a href=javascript:alert()>XSS test</a>

4. Save the changes.
5. Upon clicking the repository description, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.