Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-9496 PoC — Apache OFBiz 代码问题漏洞

Source
https://github.com/dwisiswant0/CVE-2020-9496
Associated Vulnerability
Title:Apache OFBiz 代码问题漏洞 (CVE-2020-9496)
Description:XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
Readme
# CVE-2020-9496

## Set-up Vulnerable Environment

```bash
▶ wget http://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip
▶ unzip apache-ofbiz-17.12.01.zip
▶ cd apache-ofbiz-17.12.01
▶ sh gradle/init-gradle-wrapper.sh
▶ ./gradlew cleanAll loadDefault
▶ ./gradlew "ofbiz --load-data readers=seed,seed-initial,ext"
▶ ./gradlew ofbiz # Start OFBiz
```

Open a browser and go to `https://localhost:8443`.

The default administrative account is username: **admin** password: **ofbiz**.

## Proof of Concept

### Using [nuclei](https://github.com/projectdiscovery/nuclei)

- https://github.com/projectdiscovery/nuclei-templates/pull/312

```
> echo "https://localhost:8443" | nuclei -t cves/CVE-2020-9496.yaml
```
File Snapshot

 [4.0K]  /data/pocs/44e9981fe3bf77f41d9d09872115993acf7141a6
└── [ 729]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →