ActiveMQ 后台拿shell CVE-2016-3088

先爆路径
acitvemq1.png
然后put文件
2.png

move 文件,这里不是标准的move协议,用file伪协议

3.png

最后getshell
4.png

附上后台处理move的关键代码
protected void doMove(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
if (LOG.isDebugEnabled()) {
LOG.debug("RESTful file access: MOVE request for " + request.getRequestURI());
}
if ((this.writePermissionRole != null) && (!request.isUserInRole(this.writePermissionRole)))
{
response.sendError(403);
return;
}
File file = locateFile(request);
String destination = request.getHeader("Destination");
if (destination == null)
{
response.sendError(400, "Destination header not found");
return;
}
try
{
URL destinationUrl = new URL(destination);
IOHelper.copyFile(file, new File(destinationUrl.getFile()));
IOHelper.deleteFile(file);
}
catch (IOException e)
{
response.sendError(500);

return;
}

这个洞好值钱
http://0day.today/exploit/description/25370
影响版本Apache ActiveMQ 5.0.0 – 5.13.2
测试环境apache-activemq-5.8.0 debian 8 x64

发表评论

电子邮件地址不会被公开。 必填项已用*标注