POC详情: 8f9528659371a0d1ff00ba4246f22240a1070250

来源
https://github.com/asepsaepdin/CVE-2023-32315
关联漏洞
标题: Ignite Realtime Openfire 路径遍历漏洞 (CVE-2023-32315)
描述:Ignite Realtime Openfire是Ignite Realtime社区的一款采用Java开发且基于XMPP(前称Jabber,即时通讯协议)的跨平台开源实时协作(RTC)服务器。它能够构建高效率的即时通信服务器,并支持上万并发用户数量。 Ignite Realtime Openfire 存在安全漏洞,该漏洞源于允许未经身份验证的用户在已配置的 Openfire 环境中使用未经身份验证的 Openfire 设置环境,以访问为管理用户保留的 Openfire 管理控制台中的受限页面,以下产品和版
介绍
<h1 style="font-size:10vw" align="left">CVE-2023-32315 - Ignite Realtime Openfire Path Traversal Vulnerability</h1>


<img src="https://img.shields.io/badge/CVSS:3.1%20Score%20-7.5 HIGH-red"> [![Python](https://img.shields.io/badge/Python-%E2%89%A5%203.11-blueviolet.svg)](https://www.python.org/) <img src="https://img.shields.io/badge/Maintained%3F-Yes-96c40f">


******
⚠️ *For educational and authorized security research purposes only*


## Original Exploit Authors
Very grateful to the original PoC author [phith0n](https://github.com/phith0n) and [K3ysTr0K3R](https://github.com/K3ysTr0K3R)


## Description
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.


******
## Step Guides
1. First, clone the repository
    ```bash
    git clone https://github.com/asepsaepdin/CVE-2023-32315.git
    ```
    
2. Change directory
    ```bash
    cd CVE-2023-32315
    ```
    
3. Let the container spin up
    ```bash
    docker compose up
    ```
    
4.  Run the python script `CVE-2023-32315.py` to exploit the host `http://127.0.0.1:9090`
    ```bash
    python3 CVE-2023-32315.py -u http://localhost:9090
    ```

5.  Then log in to the admin console with this account, and you can see that hugme is already an administrator.

6.  Go to tab plugin > upload plugin `openfire-management-tool-plugin.jar`

7.  Go to tab server > server settings > Management tool

8.  Access websehll with password "123"

9.  Go to ‘system command’ and utilize as if it’s the command line, only use one command at a time
    
 
******
## Credits
- https://github.com/miko550/CVE-2023-32315
- https://github.com/vulhub/vulhub/tree/master/openfire/CVE-2023-32315
- https://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT
- https://nvd.nist.gov/vuln/detail/cve-2023-32315
文件快照

 [4.0K]  /data/pocs/8f9528659371a0d1ff00ba4246f22240a1070250
├── [5.2K]  CVE-2023-32315.py
├── [  89]  docker-compose.yaml
├── [ 30K]  openfire-management-tool-plugin.jar
└── [2.6K]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。