Description
This module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gogs. This is possible when the current user is allowed to create `git hooks`, which is the default for administrative users. For non-administrative users, the permission needs to be specifically granted by an administrator.
To achieve code execution, the module authenticates to the Gogs web interface, creates a temporary repository, sets a `post-receive` git hook with the payload and creates a dummy file in the repository. This last action will trigger the git hook and execute the payload. Everything is done through the web interface.
No mitigation has been implemented so far (latest stable version is 0.12.3).
This module has been tested successfully against version 0.12.3 on docker. Windows version could not be tested since the git hook feature seems to be broken.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/gogs_git_hooks_rcemsf undefined(gogs_git_hooks_rce) > show actions ...actions...msf undefined(gogs_git_hooks_rce) > set ACTION < action-name >msf undefined(gogs_git_hooks_rce) > show options ...show and set options...msf undefined(gogs_git_hooks_rce) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub