Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-32315 PoC — Ignite Realtime Openfire 路径遍历漏洞

Source
https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass
Associated Vulnerability
Title:Ignite Realtime Openfire 路径遍历漏洞 (CVE-2023-32315)
Description:Ignite Realtime Openfire是Ignite Realtime社区的一款采用Java开发且基于XMPP(前称Jabber,即时通讯协议)的跨平台开源实时协作(RTC)服务器。它能够构建高效率的即时通信服务器,并支持上万并发用户数量。 Ignite Realtime Openfire 存在安全漏洞,该漏洞源于允许未经身份验证的用户在已配置的 Openfire 环境中使用未经身份验证的 Openfire 设置环境,以访问为管理用户保留的 Openfire 管理控制台中的受限页面,以下产品和版
Description
rce
Readme
# CVE-2023-32315

0x01 获取返回的JSESSIONID和csrftoken ,构造请求包新增用户(替换JSESSIONID、csrftoken)
![img.png](img/img.png)
```
cd CVE-2023-32315-Openfire-Bypass/scan_all
go mod tidy
go run main.go -u http://openfire.com:9090
```
0x02 插件编译安装
```
mvn clean package
```
或
releases下载插件

0x03 上传插件
![img.png](img/plugin.png)

0x04 得到webshel
![img.png](img/webshell.png)
0x05 执行命令
![img.png](img/cmd.png)
File Snapshot

 [4.0K]  /data/pocs/35476b86d2187b9b83f74cb8059a0db58496614a
├── [4.0K]  img
│   ├── [ 31K]  cmd.png
│   ├── [ 39K]  img.png
│   ├── [ 92K]  plugin.png
│   └── [101K]  webshell.png
├── [1.8K]  pom.xml
├── [ 468]  README.md
├── [4.0K]  scan_all
│   ├── [2.2K]  go.mod
│   └── [3.4K]  main.go
└── [4.0K]  src
    ├── [4.0K]  main
    │   ├── [4.0K]  i18n
    │   │   └── [ 351]  exampleplugin_i18n.properties
    │   ├── [4.0K]  java
    │   │   └── [4.0K]  org
    │   │       └── [4.0K]  igniterealtime
    │   │           └── [4.0K]  openfire
    │   │               └── [4.0K]  exampleplugin
    │   │                   └── [ 677]  ExamplePlugin.java
    │   └── [4.0K]  web
    │       ├── [ 69K]  cmd.jsp
    │       └── [4.0K]  WEB-INF
    │           └── [ 305]  web.xml
    └── [ 706]  plugin.xml

12 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.