GitLab password reset account takeover via unverified email address

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains a Python proof-of-concept exploit for CVE-2023-7028, a vulnerability in GitLab's password reset functionality. The exploit consists of a single script, 'exploit.py', which automates the process of exploiting the vulnerability by sending a password reset request with both the victim's and attacker's email addresses. The script first fetches a CSRF token from the GitLab instance, then submits a POST request to the password reset endpoint with a specially crafted payload. The README.md briefly states the exploit's purpose. The exploit targets network-accessible GitLab instances and requires the attacker to know the victim's email address. The endpoints targeted are the password reset pages of the GitLab web application. The code is a functional proof-of-concept and does not include weaponized or framework-level features.

This repository provides a Python proof-of-concept exploit for CVE-2023-7028, a critical account takeover vulnerability in GitLab (versions 16.1 to 16.7.1). The exploit leverages a flaw in the password reset process, where an attacker can supply both the victim's and their own email addresses, causing the reset link to be sent to both. The script automates the attack by either using a supplied attacker email or generating a temporary email via 1secmail.com, then submitting the crafted reset request to the target GitLab instance. It can operate in single-target or mass-attack modes (using an email list), and supports rate limiting and a 'skip' mode for reconnaissance. The repository contains one main exploit script (CVE-2023-7028.py), a README with detailed usage instructions and examples, and a .gitignore. The exploit is operational and can result in full account takeover if the target does not have 2FA enabled. No fake or destructive code is present; the exploit is focused and functional.

This repository contains a proof-of-concept exploit for CVE-2023-7028, a vulnerability in GitLab's password reset functionality. The exploit is implemented in Python (attack.py) and automates the process of sending a crafted password reset request to a vulnerable GitLab instance. By supplying both a victim's and an attacker's email address in the request, the script triggers password reset emails to both, potentially allowing the attacker to hijack the victim's account if they can access the reset link. The script disables SSL verification warnings, fetches a CSRF token from the /users/password/new endpoint, and submits the malicious request to /users/password. The repository also includes a README.md with usage instructions. No hardcoded IPs or domains are present; the target URL is supplied by the user. The exploit is a standalone script and not part of a larger framework.

This repository contains a Python exploit script (attack.py) and a README.md describing the exploitation of CVE-2023-7028, a critical password reset poisoning vulnerability in GitLab. The exploit automates the process of sending a crafted password reset request to the /users/password endpoint, specifying both the victim's and an attacker-controlled email address. This results in password reset emails being sent to both addresses, allowing the attacker to reset the victim's password and take over their account. The script requires Python 3.x and the requests library, and is run from the command line with the target GitLab URL, victim's email, and attacker's email as arguments. The README provides detailed usage instructions and describes the manual steps to complete the account takeover. The exploit targets GitLab instances vulnerable to CVE-2023-7028 and demonstrates a proof-of-concept for this attack vector.

This repository contains a Python proof-of-concept exploit for CVE-2023-7028, a critical vulnerability in GitLab CE/EE that allows attackers to trigger a password reset for arbitrary users and redirect the reset email to an attacker-controlled address. The exploit script (CVE-2023-7028.py) takes as input the target GitLab instance URL, the victim's email, and the attacker's email. It first fetches a CSRF token from the password reset page, then submits a specially crafted POST request to the password reset endpoint, specifying both the victim and attacker emails. If the target is vulnerable, the attacker receives a password reset email for the victim account, potentially enabling account takeover. The README.md provides background on the vulnerability, affected versions, and usage instructions. The exploit targets self-managed GitLab instances running specific vulnerable versions and requires network access to the target instance.

This repository contains a Python proof-of-concept exploit for CVE-2023-7028, a critical account takeover vulnerability in GitLab (versions 16.1 to 16.7.1). The exploit leverages a flaw in the password reset process, where a reset request can be sent to both the victim's and attacker's email addresses. The script automates the attack by either using a supplied attacker email or generating a temporary email via 1secmail.com. It submits a crafted password reset request to the target GitLab instance, monitors the attacker's inbox for the reset link, and completes the password reset process, ultimately providing the attacker with access to the victim's account. The repository consists of the main exploit script (CVE-2023-7028.py) and a README.md with detailed usage instructions, affected versions, and references. The exploit is a POC and does not include advanced payload customization or post-exploitation features.