## https://sploitus.com/exploit?id=2DB805FE-17FB-5841-B802-028048B22820
# Gitlab-Exiftool-RCE
Original repos : https://github.com/CsEnox/Gitlab-Exiftool-RCE
Creds to CsEnox.
RCE Exploit for Gitlab < 13.10.3
- GitLab Workhorse will pass any file to ExifTool. The current bug is in the DjVu module of ExifTool.
- Anyone with the ability to upload an image that goes through the GitLab Workhorse could achieve RCE via a specially crafted file
## Usage
```
python3 exploit.py -c "command here" -t http://gitlab.example.com
```
## Environment
- Tested on Gitlab 13.10.2 Community Edition
- Building your own test environment :
```
export GITLAB_HOME=/srv/gitlab
sudo docker run --detach \
--hostname gitlab.example.com \
--publish 443:443 --publish 80:80 \
--name gitlab \
--restart always \
--volume $GITLAB_HOME/config:/etc/gitlab \
--volume $GITLAB_HOME/logs:/var/log/gitlab \
--volume $GITLAB_HOME/data:/var/opt/gitlab \
gitlab/gitlab-ce:13.10.2-ce.0
```
## Credits
- https://hackerone.com/reports/1154542 : vakzz
- https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
## Exploit-DB
- https://www.exploit-db.com/exploits/49951