freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

SCMKit:一款功能强大的针对源代码管理系统的安全测试套件
2022-12-04 21:57:14
所属地 广西

关于SCMKit

SCMKit,全称为Source Code Management Attack Toolkit,是一个可以用于对SCM源代码管理系统进行渗透测试的强大工具包。

SCMKit允许广大研究人员指定要使用的SCM系统和渗透测试模块,以及指定相应SCM系统的有效凭证(用户名/密码或API密钥)。当前版本SCMKit支持的SCM系统有GitHub Enterprise、GitLab Enterprise和Bitbucket Server。支持的渗透测试模块包含网络侦查、权限提升和持久化。

SCMKit是以模块化的方式构建的,因此信息安全社区将来可以根据自己的需求添加新的渗透测试模块和支持的SCM系统。

使用的第三方库

该项目使用了下列第三方库:

代码库

URL

许可证

Octokit

https://github.com/octokit/octokit.net

MIT

Fody

https://github.com/Fody/Fody

MIT

GitLabApiClient

https://github.com/nmklotas/GitLabApiClient

MIT

Newtonsoft.Json

https://github.com/JamesNK/Newtonsoft.Json

MIT

工具下载

广大研究人员可以使用下列命令将该项目源码克隆至本地:

git clone https://github.com/h4wkst3r/SCMKit.git

代码构建

我们可以将项目源码导入到Visual Studio中自行构建项目,代码构建需要使用.NET库,可以通过NuGet包管理工具进行安装。

首先,加载Visual Studio项目,然后点击"Tools" --> "NuGet Package Manager" --> "Package Manager Settings"。

点击"NuGet Package Manager" --> "Package Sources"。

使用URL:https://api.nuget.org/v3/index.json添加一个包源地址。

安装下列NuGet包:

Install-Package Costura.Fody -Version 3.3.3

Install-Package Octokit

Install-Package GitLabApiClient

Install-Package Newtonsoft.Json

接下来,我们就可以开始构建项目代码了。

工具使用

参数/选项

-c, -credential - 身份验证凭据 (username:password或apiKey)

-s, -system - 目标系统(github,gitlab,bitbucket)

-u, -url - GitHub Enterprise, GitLab Enterprise或Bitbucket Server的URL地址

-m, -module - 要运行的模块

-o, -option - 参数选项

系统(-s,-system)

github: GitHub Enterprise

gitlab: GitLab Enterprise

bitbucket: Bitbucket Server

模块(-m,-module)

listrepo:列出当前用户可以看到的所有代码库

searchrepo:搜索给定的代码库

searchcode:搜索包含关键字搜索项的代码

searchfile:搜索包含关键字搜索项的文件名

listsnippet:列出当前用户的所有代码段

listrunner:列出当前用户可用的所有GitLab运行程序

listgist:列出当前用户的所有gist

listorg:列出当前用户所属的所有组织

privs:获取当前API令牌的privs

addadmin:将给定用户提升为管理员角色

removeadmin:将给定用户从管理员角色降级

createpat:为目标用户创建个人访问令牌

listpat:列出目标用户的个人访问令牌

removepat:删除目标用户的个人访问令牌

createsshkey:为当前用户创建SSH密钥

listsshkey:列出当前用户的SSH密钥

removeshkey:删除当前用户的SSH密钥

adminstats:获取管理员信息(用户、repo、orgs、gists)

protection:获取分支保护设置

工具使用样例

代码库枚举

GitHub Enterprise

SCMKit.exe -s github -m listrepo -c userName:password -u https://github.something.local

SCMKit.exe -s github -m listrepo -c apiKey -u https://github.something.local

GitLab Enterprise

SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.local

SCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local

Bitbucket Server

SCMKit.exe -s bitbucket -m listrepo -c userName:password -u https://bitbucket.something.local

SCMKit.exe -s bitbucket -m listrepo -c apiKey -u https://bitbucket.something.local

输出样例

C:\>SCMKit.exe -s gitlab -m listrepo -c username:password -u https://gitlab.hogwarts.local

 

==================================================

Module:         listrepo

System:         gitlab

Auth Type:      Username/Password

Options:

Target URL:     https://gitlab.hogwarts.local

 

Timestamp:      1/14/2022 8:30:47 PM

==================================================

 

                                    Name | Visibility |                                                URL

----------------------------------------------------------------------------------------------------------

                            MaraudersMap |    Private | https://gitlab.hogwarts.local/hpotter/maraudersmap

                            testingStuff |   Internal | https://gitlab.hogwarts.local/adumbledore/testingstuff

                               Spellbook |   Internal |    https://gitlab.hogwarts.local/hpotter/spellbook

       findShortestPathToGryffindorSword |   Internal | https://gitlab.hogwarts.local/hpotter/findShortestPathToGryffindorSword

                                  charms |     Public |      https://gitlab.hogwarts.local/hgranger/charms

                           Secret-Spells |   Internal | https://gitlab.hogwarts.local/adumbledore/secret-spells

                              Monitoring |   Internal | https://gitlab.hogwarts.local/gitlab-instance-10590c85/Monitoring

代码库搜索

GitHub Enterprise

SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term"

SCMKit.exe -s github -m searchrepo -c apikey -u https://github.something.local -o "some search term"

GitLab Enterprise

SCMKit.exe -s gitlab -m searchrepo -c userName:password -u https://gitlab.something.local -o "some search term"

SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term"

Bitbucket Server

SCMKit.exe -s bitbucket -m searchrepo -c userName:password -u https://bitbucket.something.local -o "some search term"

SCMKit.exe -s bitbucket -m searchrepo -c apikey -u https://bitbucket.something.local -o "some search term"

输出样例

C:\>SCMKit.exe -s gitlab -m searchrepo -c apiKey -u https://gitlab.hogwarts.local -o "spell"

 

==================================================

Module:         searchrepo

System:         gitlab

Auth Type:      API Key

Options:        spell

Target URL:     https://gitlab.hogwarts.local

 

Timestamp:      1/14/2022 8:32:30 PM

==================================================

 

                                    Name | Visibility |                                                URL

----------------------------------------------------------------------------------------------------------

                               Spellbook |   Internal |    https://gitlab.hogwarts.local/hpotter/spellbook

                           Secret-Spells |   Internal | https://gitlab.hogwarts.local/adumbledore/secret-spells

代码搜索

GitHub Enterprise

SCMKit.exe -s github -m searchcode -c userName:password -u https://github.something.local -o "some search term"

SCMKit.exe -s github -m searchcode -c apikey -u https://github.something.local -o "some search term"

GitLab Enterprise

SCMKit.exe -s gitlab -m searchcode -c userName:password -u https://gitlab.something.local -o "some search term"

SCMKit.exe -s gitlab -m searchcode -c apikey -u https://gitlab.something.local -o "some search term"

Bitbucket Server

SCMKit.exe -s bitbucket -m searchcode -c userName:password -u https://bitbucket.something.local -o "some search term"

SCMKit.exe -s bitbucket -m searchcode -c apikey -u https://bitbucket.something.local -o "some search term"

输出样例

C:\>SCMKit.exe -s gitlab -m searchcode -c username:password -u https://gitlab.hogwarts.local -o "api_key"

 

==================================================

Module:         searchcode

System:         gitlab

Auth Type:      Username/Password

Options:        api_key

Target URL:     https://gitlab.hogwarts.local

 

Timestamp:      1/14/2022 8:34:14 PM

==================================================

 

 

[>] URL: https://gitlab.hogwarts.local/adumbledore/secret-spells/stuff.txt

    |_ API_KEY=abc123

 

Total number of items matching code search: 1

搜索文件

GitHub Enterprise

SCMKit.exe -s github -m searchfile -c userName:password -u https://github.something.local -o "some search term"

SCMKit.exe -s github -m searchfile -c apikey -u https://github.something.local -o "some search term"

GitLab Enterprise

SCMKit.exe -s gitlab -m searchfile -c userName:password -u https://gitlab.something.local -o "some search term"

SCMKit.exe -s gitlab -m searchfile -c apikey -u https://gitlab.something.local -o "some search term"

Bitbucket Server

SCMKit.exe -s bitbucket -m searchfile -c userName:password -u https://bitbucket.something.local -o "some search term"

SCMKit.exe -s bitbucket -m searchfile -c apikey -u https://bitbucket.something.local -o "some search term"

输出样例

C:\source\SCMKit\SCMKit\bin\Release>SCMKit.exe -s bitbucket -m searchfile -c apikey -u http://bitbucket.hogwarts.local:7990 -o jenkinsfile

 

==================================================

Module:         searchfile

System:         bitbucket

Auth Type:      API Key

Options:        jenkinsfile

Target URL:     http://bitbucket.hogwarts.local:7990

 

Timestamp:      1/14/2022 10:17:59 PM

==================================================

 

 

[>] REPO: http://bitbucket.hogwarts.local:7990/scm/~HPOTTER/hpotter

    [>] FILE: Jenkinsfile

 

[>] REPO: http://bitbucket.hogwarts.local:7990/scm/STUD/cred-decryption

    [>] FILE: subDir/Jenkinsfile

 

Total matching results: 2

列举代码段

GitLab Enterprise

SCMKit.exe -s gitlab -m listsnippet -c userName:password -u https://gitlab.something.local

SCMKit.exe -s gitlab -m listsnippet -c apikey -u https://gitlab.something.local

输出样例

C:\>SCMKit.exe -s gitlab -m listsnippet -c username:password -u https://gitlab.hogwarts.local

 

==================================================

Module:         listsnippet

System:         gitlab

Auth Type:      Username/Password

Options:

Target URL:     https://gitlab.hogwarts.local

 

Timestamp:      1/14/2022 9:17:36 PM

==================================================

 

               Title |                                                                Raw URL

---------------------------------------------------------------------------------------------

        spell-script |                         https://gitlab.hogwarts.local/-/snippets/2/raw

添加管理员

GitHub Enterprise

SCMKit.exe -s github -m addadmin -c userName:password -u https://github.something.local -o targetUserName

SCMKit.exe -s github -m addadmin -c apikey -u https://github.something.local -o targetUserName

GitLab Enterprise

SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName

SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName

Bitbucket Server

SCMKit.exe -s bitbucket -m addadmin -c userName:password -u https://bitbucket.something.local -o targetUserName

输出样例

C:\>SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.hogwarts.local -o hgranger

 

==================================================

Module:         addadmin

System:         gitlab

Auth Type:      API Key

Options:        hgranger

Target URL:     https://gitlab.hogwarts.local

 

Timestamp:      1/14/2022 9:19:32 PM

==================================================

 

 

[+] SUCCESS: The hgranger user was successfully added to the admin role.

删除管理员

GitHub Enterprise

SCMKit.exe -s github -m removeadmin -c userName:password -u https://github.something.local -o targetUserName

SCMKit.exe -s github -m removeadmin -c apikey -u https://github.something.local -o targetUserName

GitLab Enterprise

SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName

SCMKit.exe -s gitlab -m removeadmin -c apikey -u https://gitlab.something.local -o targetUserName

Bitbucket Server

SCMKit.exe -s bitbucket -m removeadmin -c userName:password -u https://bitbucket.something.local -o targetUserName

输出样例

C:\>SCMKit.exe -s gitlab -m removeadmin -c username:password -u https://gitlab.hogwarts.local -o hgranger

 

==================================================

Module:         removeadmin

System:         gitlab

Auth Type:      Username/Password

Options:        hgranger

Target URL:     https://gitlab.hogwarts.local

 

Timestamp:      1/14/2022 9:20:12 PM

==================================================

 

 

[+] SUCCESS: The hgranger user was successfully removed from the admin role.

许可证协议

本项目的开发与发布遵循Apache-2.0开源许可证协议。

项目地址

SCMKit:【GitHub传送门

参考资料

https://developer.atlassian.com/server/bitbucket/reference/rest-api/

https://octokitnet.readthedocs.io/en/latest/

https://github.com/octokit/octokit.net

https://docs.github.com/en/rest/overview

https://docs.gitlab.com/ee/api/api_resources.html

https://github.com/nmklotas/GitLabApiClient

# 渗透测试 # 系统安全 # 代码安全
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录