Module: Msf::Exploit::Remote::HTTP::Gitea::Repository

Included in:
Msf::Exploit::Remote::HTTP::Gitea
Defined in:
lib/msf/core/exploit/remote/http/gitea/repository.rb

Instance Method Summary collapse

Instance Method Details

#gitea_create_repo(name, timeout = 20) ⇒ uid?

performs a gitea repository creation

Parameters:

  • name (String)

    Repository name

  • timeout (Integer) (defaults to: 20)

    The maximum number of seconds to wait before the request times out

Returns:

  • (uid, nil)

    the repository uid as a single string on successful creation, nil or raise RepositoryError and CsrfError otherwise

Raises:



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'lib/msf/core/exploit/remote/http/gitea/repository.rb', line 11

def gitea_create_repo(name, timeout = 20)
  res = send_request_cgi({
    'uri' => gitea_url_repo_create,
    'keep_cookies' => true
  }, timeout)
  return nil unless res

  uid = gitea_get_repo_uid(res)
  raise Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError.new('Unable to get repo uid') unless uid

  csrf = gitea_get_csrf(res)
  raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf

  res = send_request_cgi(
    'method' => 'POST',
    'uri' => gitea_url_repo_create,
    'vars_post' => gitea_helper_repo_create_post_data(name, uid, csrf),
    'keep_cookies' => true
  )
  raise Msf::Exploit::Remote::HTTP::Gitea::Error::RepositoryError.new('Unable to create repo') if res&.code != 302
  return uid
end

#gitea_migrate_repo(name, uid, url, token, timeout = 20) ⇒ Rex::Proto::Http::Response, MigrationError

performs a gitea repository migration

Parameters:

  • name (String)

    Repository name

  • name (String)

    Repository uid

  • timeout (Integer) (defaults to: 20)

    The maximum number of seconds to wait before the request times out

Returns:

Raises:



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/msf/core/exploit/remote/http/gitea/repository.rb', line 42

def gitea_migrate_repo(name, uid, url, token, timeout = 20)
  res = send_request_cgi({
    'uri' => gitea_url_repo_migrate,
    'keep_cookies' => true
  }, timeout)
  return nil unless res

  uri = gitea_get_service_type_uri(res)
  raise Msf::Exploit::Remote::HTTP::Gitea::Error::WebError.new('Unable to get service type uri') unless uri

  service = Rack::Utils.parse_query(URI.parse(uri).query)['service_type']
  res = send_request_cgi(
    'uri' => normalize_uri(target_uri.path, uri),
    'keep_cookies' => true
  )
  csrf = gitea_get_csrf(res)
  raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf

  res = send_request_cgi(
    'method' => 'POST',
    'uri' => uri,
    'vars_post' => gitea_helper_repo_migrate_post_data(name, uid, service, url, token, csrf),
    'keep_cookies' => true
  )
  if res&.code != 302 # possibly triggered by the [migrations] settings
    err = res&.get_html_document&.at('//div[contains(@class, flash-error)]/p')&.text
    raise Msf::Exploit::Remote::HTTP::Gitea::Error::MigrationError.new(err)
  end
  return res
end

#gitea_remove_repo(path, timeout = 20) ⇒ Rex::Proto::Http::Response

performs a gitea repository deletion

Parameters:

  • path (String)

    Repository path (/username/reponame)

  • timeout (Integer) (defaults to: 20)

    The maximum number of seconds to wait before the request times out

Returns:

Raises:



80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
# File 'lib/msf/core/exploit/remote/http/gitea/repository.rb', line 80

def gitea_remove_repo(path, timeout = 20)
  uri = gitea_url_repo_settings(path)
  res = send_request_cgi({
    'uri' => uri,
    'keep_cookies' => true
  }, timeout)
  return nil unless res
  return res if res&.code == 404 # return res if 404 to handling cleanup

  csrf = gitea_get_csrf(res)
  raise Msf::Exploit::Remote::HTTP::Gitea::Error::CsrfError.new unless csrf

  name = path.split('/').last
  send_request_cgi(
    'method' => 'POST',
    'uri' => uri,
    'vars_post' => gitea_helper_repo_remove_post_data(name, csrf),
    'keep_cookies' => true
  )
end