Monday, January 26, 2015

DevOoops: Revision Control (GitList)


More info from the DevOoops talk

Remote Code Execution in GitList

background blog post here: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/

P.S. if you don't read that blog, you should :-)

http://www.exploit-db.com/exploits/33929/

MSF module:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/gitlist_exec.rb

Read the blog post for the interesting details.


fun screenies

Manually checking if a site is vulnerable


Backdoor PHP using the python POC


Shell via the metasploit module

I didn't think anyone used this stuff, but its apparently pretty popular


Fixes:

current stable version 0.5.0 fixes the issue


CG

No comments: