Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-49070 PoC — Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present

Source
https://github.com/D0g3-8Bit/OFBiz-Attack
Associated Vulnerability
Title:Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present (CVE-2023-49070)
Description:Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.  Users are recommended to upgrade to version 18.12.10
Description
A Tool For CVE-2023-49070/CVE-2023-51467 Attack
Readme
# OFBiz-Attack
A Tool For CVE-2023-49070/CVE-2023-51467 Attack

### 测试环境

vulhub/ofbiz:18.12.09

### 使用

启动

````
java -jar OFBiz-Attack.jar
````

共有三个模块,分别是:

- 漏洞检测

  ![1](./img/1.png)

  仅输入目标URL即可,无限额外添加路由,否则影响后续模块利用。仅支持发送Https请求,运行速度取决于Web服务器性能

  验证完成后请勿修改URL,后续利用会从此框获取URL

- 命令执行

  使用前需完成漏洞校验,使用的是CVE-2023-51467来执行命令,也方便回显

  ![2](./img/2.png)

  

  执行失败会返回Not executed for security reason信息

  部分命令无法执行原因是(可能是因为)security.properties文件中设置了黑名单

  ![3](./img/3.png)

  但还是能执行到反弹shell,该模块体验不佳的话请移步下一个模块

- 注入内存马

  ⚠️慎用,伤害不可逆

  使用前需完成漏洞校验,使用CVE-2023-49070反序列化注入内存马,模块支持注入CMD/Behinder内存马,原则上只能注入一种

  ![4](./img/4.png)

  

  连接Behinder,默认密码,不要忘记最后的`/`

  ![5](./img/5.png)

  两种内存马都是注入到`/webtool/*`的Filter

### 结语

⚠️此工具仅用于学习交流,切勿用于非法用途

如果模块给你带来了不好的体验,在此深表歉意,还请为工具提出建议,后续进行改进🙏

感谢使用
File Snapshot

 [4.0K]  /data/pocs/6e97a4a7e64e3a84bab92045ec46cec3c3c703a4
├── [4.0K]  img
│   ├── [ 58K]  1.png
│   ├── [ 67K]  2.png
│   ├── [ 97K]  3.png
│   ├── [ 89K]  4.png
│   └── [158K]  5.png
├── [4.0K]  out
│   └── [4.0K]  artifacts
│       └── [4.0K]  OFBiz_Attack_jar
│           └── [3.4M]  OFBiz-Attack.jar
├── [1.0K]  pom.xml
├── [1.4K]  README.md
├── [4.0K]  src
│   └── [4.0K]  main
│       ├── [4.0K]  java
│       │   └── [4.0K]  org
│       │       └── [4.0K]  ofbiz
│       │           ├── [4.0K]  listener
│       │           │   ├── [2.8K]  CmdExecuteListener.java
│       │           │   ├── [2.6K]  MemshellInjectListener.java
│       │           │   └── [1.7K]  VulCheckListener.java
│       │           ├── [4.9K]  Main.java
│       │           ├── [4.0K]  shell
│       │           │   └── [ 24K]  ShellManager.java
│       │           └── [4.0K]  util
│       │               ├── [1.8K]  Check.java
│       │               └── [3.4K]  Http.java
│       └── [4.0K]  resources
│           └── [4.0K]  META-INF
│               └── [  53]  MANIFEST.MF
└── [4.0K]  target
    └── [4.0K]  classes
        ├── [4.0K]  META-INF
        │   └── [  53]  MANIFEST.MF
        └── [4.0K]  org
            └── [4.0K]  ofbiz
                ├── [4.0K]  listener
                │   ├── [3.7K]  CmdExecuteListener.class
                │   ├── [ 26K]  MemshellInjectListener.class
                │   └── [1.9K]  VulCheckListener.class
                ├── [1.6K]  Main$CustomTabbedPaneUI.class
                ├── [4.5K]  Main.class
                ├── [4.0K]  shell
                │   └── [ 24K]  ShellManager.class
                └── [4.0K]  util
                    ├── [2.3K]  Check.class
                    ├── [1.0K]  Http$1.class
                    └── [4.2K]  Http.class

22 directories, 26 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →