Share
## https://sploitus.com/exploit?id=184DA5D4-3571-5CA8-A679-ABE0FEC63407
**Apache-OFBiz-Auth-Bypass-and-RCE-Exploit-CVE-2023-49070-CVE-2023-51467**

Apache OFBiz is an open source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise.

**CVE-2023-49070** is a pre-authentication Remote Code Execution (RCE) vulnerability which has been identified in Apache OFBiz 18.12.09. The issue stems from the presence of XML-RPC, which is no longer maintained but remains in the system. 

**CVE-2023-51467** permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code.

**Affected versions:** 18.12.10 and below

This exploit scans whether the provided target is vulnerable and also exploits it depending on the choice of the user.

**Usage:**
python3 exploit.py https://localhost:8443/

**Reference:**
https://www.prio-n.com/blog/cve-2023-49070-51467-attacking-defending-Apache-OFBiz

**Note:** You should have the ysoserial-all.jar file in the same directory as the exploit. You can either download it from this repo or from https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar. 

**If the serialization does not happen or if the exploit is not successful due to some reason, follow the steps below to downgrade your java version and try again.**

update-java-alternatives --list

sudo update-java-alternatives --set /usr/lib/jvm/java-1.11.0-openjdk-amd64

sudo update-java-alternatives --set <Any_lower_compatible_version>

**Disclaimer:**
This exploit is to be used only for educational and authorized testing purposes. Illegal/unauthorized use of this exploit is prohibited.