Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-32315 PoC — Openfire administration console authentication bypass

Source
https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass
Associated Vulnerability
Title:Openfire administration console authentication bypass (CVE-2023-32315)
Description:Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
Description
rce
Readme
# CVE-2023-32315

0x01 获取返回的JSESSIONID和csrftoken ,构造请求包新增用户(替换JSESSIONID、csrftoken)
![img.png](img/img.png)
```
cd CVE-2023-32315-Openfire-Bypass/scan_all
go mod tidy
go run main.go -u http://openfire.com:9090
```
0x02 插件编译安装
```
mvn clean package
```
或
releases下载插件

0x03 上传插件
![img.png](img/plugin.png)

0x04 得到webshel
![img.png](img/webshell.png)
0x05 执行命令
![img.png](img/cmd.png)
File Snapshot

 [4.0K]  /data/pocs/35476b86d2187b9b83f74cb8059a0db58496614a
├── [4.0K]  img
│   ├── [ 31K]  cmd.png
│   ├── [ 39K]  img.png
│   ├── [ 92K]  plugin.png
│   └── [101K]  webshell.png
├── [1.8K]  pom.xml
├── [ 468]  README.md
├── [4.0K]  scan_all
│   ├── [2.2K]  go.mod
│   └── [3.4K]  main.go
└── [4.0K]  src
    ├── [4.0K]  main
    │   ├── [4.0K]  i18n
    │   │   └── [ 351]  exampleplugin_i18n.properties
    │   ├── [4.0K]  java
    │   │   └── [4.0K]  org
    │   │       └── [4.0K]  igniterealtime
    │   │           └── [4.0K]  openfire
    │   │               └── [4.0K]  exampleplugin
    │   │                   └── [ 677]  ExamplePlugin.java
    │   └── [4.0K]  web
    │       ├── [ 69K]  cmd.jsp
    │       └── [4.0K]  WEB-INF
    │           └── [ 305]  web.xml
    └── [ 706]  plugin.xml

12 directories, 13 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →