# XMPP/Jabber

## Theory

**Extensible Messaging and Presence** Protocol (XMPP, originally named **Jabber**) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Extensible Markup Language), it enables the near-real-time exchange of structured data between two or more network entities. The service usually run over ports **TCP 5222, 5269 or 8010**

## Practice

### Connect to a XMPP server

{% tabs %}
{% tab title="Pidgin" %}
[Pidgin](https://pidgin.im/install/) is a chat program that allows to connect to multiple chat networks, including XMPP servers.

<figure><img src="https://329872044-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMdUKdzuqIuObdvCB3mUR%2Fuploads%2Fgit-blob-679ebd63d4ef415687e3f61d2b3c2536bb5dd9e8%2Fimage.png?alt=media" alt="" width="453"><figcaption></figcaption></figure>
{% endtab %}
{% endtabs %}

### Openfire <a href="#firstheading" id="firstheading"></a>

Openfire is an instant messaging (IM) and groupchat server for the Extensible Messaging and Presence Protocol (XMPP) written in Java.

#### CVE-2023-32315 - Authentication Bypass Vulnerability

{% tabs %}
{% tab title="Exploit" %}
**CVE-2023-32315** is a path traversal vulnerability found in the web-based Admin Console of Openfire. This security flaw enables unauthenticated users to access restricted pages that are meant exclusively for administrative use within a configured Openfire environment. **Successful exploitation of this vulnerability allows an attacker to create a new administrative user**.

This vulnerability impacts all Openfire versions released after April 2015, commencing from version **3.10.0.** The issue has been patched in releases **4.7.5** and **4.6.8**.

The [CVE-2023-32315](https://github.com/miko550/CVE-2023-32315) python script allow to exploit this vulnerability

```
python3 CVE-2023-32315.py -t http://127.0.0.1:9090
python3 CVE-2023-32315.py -l lists.txt
```

{% endtab %}
{% endtabs %}

#### Remote Code Execution (RCE)

{% tabs %}
{% tab title="plugin" %}
If you have administrator access to the Openfire console, you can achieve remote code execution by deploying a web shell through a plugin upload. To do this, follow these steps:

1. go to tab plugin > upload plugin [openfire-management-tool-plugin.jar](https://github.com/miko550/CVE-2023-32315/raw/main/openfire-management-tool-plugin.jar)
2. go to tab server > server settings > Management tool
3. Access the websehll with password "123"
4. We should now be able to execute commands

<figure><img src="https://329872044-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMdUKdzuqIuObdvCB3mUR%2Fuploads%2Fgit-blob-49ce5e4657674173fc1e8b9ef857a4431e67a47c%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>
{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/pentesting-voip#voip-basic-information>" %}

{% embed url="<https://en.wikipedia.org/wiki/XMPP>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/network-pentesting/protocols/xmpp-jabber.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.