CVE-2021-26295 PoC — RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

Source

https://github.com/yumusb/CVE-2021-26295

Associated Vulnerability

Title:RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI (CVE-2021-26295)
Description:Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

Readme

# CVE-2021-26295-POC

利用DNSlog进行CVE-2021-26295的漏洞验证。

### 使用

poc: 将目标放于 target.txt 后运行`python poc.py`即可。（Jdk环境需<12，否则ysoserial不能正常生成payload）

exp: `python exp.py https://baidu.com` 然后进入命令执行界面（无回显）

仅供学习交流，请勿用于其他用途。

File Snapshot


 [4.0K]  /data/pocs/10824de7f28a571c51d9dc022f8a6975bb1d79b6
├── [2.0K]  exp.py
├── [2.7K]  poc.py
├── [ 363]  README.md
├── [  38]  target.txt
└── [ 58M]  ysoserial.jar

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →