支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: c238cfca5d4507ff14571f90f420cd42cd866508

来源
https://github.com/ThatNotEasy/CVE-2024-38856
关联漏洞
标题:Apache OFBiz 安全漏洞 (CVE-2024-38856)
Description:Apache OFBiz是美国阿帕奇(Apache)基金会的一套企业资源计划(ERP)系统。该系统提供了一整套基于Java的Web应用程序组件和工具。 Apache OFBiz 18.12.14及之前版本存在安全漏洞,该漏洞源于存在授权错误漏洞,从而导致未经身份验证的端点可执行屏幕渲染代码。
Description
Perform With Massive Apache OFBiz Zero-Day Scanner & RCE
介绍
# CVE-2024-38856 Apache Ofbiz RCE Scanner

## Description

This script is designed to scan for the `CVE-2024-38856` vulnerability in Apache Ofbiz applications, which may allow for remote code execution. It sends HTTP POST requests to specific paths within the Ofbiz application with malicious payloads to exploit the vulnerability.

![Screenshot_1](https://github.com/user-attachments/assets/2c10ebe1-b173-4ad4-a123-66142d9d7a5c)

## Features

- Scans targets for vulnerability using various paths
- Supports multithreading for faster processing
- Uses `coloredlogs` for color-coded, easy-to-read logs
- Supports input from a file containing a list of targets

## Prerequisites

- Python 3.x
- Python Modules:
  - `requests`
  - `coloredlogs`
  - `colorama`
  - `argparse`
  - `urllib3`

You can install the required dependencies using pip:

```bash
pip install requests coloredlogs colorama argparse urllib3
```

# Usage

## Running the Script

To run the script, use the following command:

```bash
python script_name.py [options]
```
# Options

- `-t`, `--threads`: Number of threads to use (default: 1)
- `-p`, `--port`: Target port
- `-c`, `--command`: Command to execute
- `-s`, `--scan`: Perform a scan with ping, curl, and wget
- `-d`, `--domain`: Domain (attacker domain) to scan with ping, curl, and wget
- `-f`, `--file`: File containing a list of targets in the format `http(s)://target,port`

# Examples

- Scan targets with a command:

  ```bash
  python script_name.py -f targets.txt -c "whoami"
  ```

 # Perform a scan with a domain:

```bash
python script_name.py -s -d example.com -p 80
```

# Use a file containing a list of targets:

```bash
python script_name.py -f targets.txt -c "uname -a"
```

# Error Handling
- If targets lack the http:// or https:// prefix, the script will prompt you to choose a prefix to add.
- If there's an error while making an HTTP request, the script will log the error.
文件快照

 [4.0K]  /data/pocs/c238cfca5d4507ff14571f90f420cd42cd866508
├── [ 10K]  CVE-2024-38856.py
├── [1.9K]  README.md
└── [  38]  requirements.txt

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。