CVE-2022-0415

This course provides an in-depth look at exploiting a remote command execution (RCE) vulnerability in Gogs, a platform for hosting git repositories. Discovered by wuhan005 and documented on huntr.com, this exploit targets the default installation of Gogs when registration is enabled. The key to this vulnerability is the ability to overwrite the .git/config file, which Git normally prevents. However, Gogs allows file uploads without requiring users to use git, and the upload restrictions do not stop an attacker from overwriting the .git/config file.

By adding an element named sshCommand to the git configuration file, an attacker can achieve command execution when a git fetch or git push is executed. To ensure the server's git uses ssh for pushing the uploaded file, the configuration links to a repository that relies on ssh for transport. This exercise illustrates how attackers can combine a file upload and directory traversal to manipulate the behavior of other accessible applications.