Gitlab Bulk Import Project Command Injection (CVE-2022-2185)

Usage

Run the fake gitlab server:

python3 api.py

Server is running on port 8800

Setup a proxy server in front of this server

Modify the target server, username/password and the FAKE_SERVER variable in the poc.py script

Run the poc.py

python2 poc.py

Wait for ~5 minutes, the command will get executed!