Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out Apache ActiveMQ remote code execution vulnerability CVE-2016-3088 recurrence, the quality of the article content is high, so Xiaobian share for everyone to make a reference, I hope you have a certain understanding of related knowledge after reading this article.

0x00 Brief background

ActiveMQ is an open source message-driven middleware software under the Apache Software Foundation. Jetty is an open source servlet container that provides a runtime environment for Java-based web containers such as JSP and servlets. ActiveMQ 5.0 and later versions integrate jetty by default. Provide a Web application that monitors ActiveMQ after startup.

On April 14, 2016, foreign security researcher Simon Zuckerbraun exposed multiple security vulnerabilities in Apache ActiveMQ Fileserver, which could allow remote attackers to replace Web applications with malicious code and execute remote code on affected systems (CVE-2016-3088).

ActiveMQ's web console is divided into three applications, admin, api and fileserver, where admin is the administrator page, api is the interface, fileserver is the interface to store files;admin and api need to log in to use, fileserver does not need to log in.

fileserver is a RESTful API interface. We can read and write files stored in it through HTTP requests such as GET, PUT, Delete, etc. Its design purpose is to make up for the defect that message queue operations cannot transmit and store binary files, but later found:

1. Its usage rate is not high

2. File manipulation is prone to vulnerabilities

So ActiveMQ has turned off fileserver by default in versions 5.12.x to 5.13.x (you can turn it on in conf/jetty.xml); after version 5.14.0, fileserver has been completely removed.

During the testing process, you can pay attention to the version of ActiveMQ to avoid detours.

0x01 Vulnerability Environment

Environment: vulhub.org/#/docs/

#Switch to the appropriate environment directory cd /root/vulhub-master/activemq/CVE-2016-3088#Open docker-compose up -d#View docker-compose ps

0x02 Bug recurrence

Write shell directly.

To write a shell, you need to write it in admin or api, that is, you need to log in, and you can't write a shell operation without a password.

The default password for this environment is admin/admin.

Visit http://ip:8161/admin/test/systemProperties.jsp

Get the path to the current system

Upload jsp pony, return 204, but do not parse under fileserver path

#Pony

Grab the bag with bp, PUT the pony

If successful, return 204 No Content and view it in your browser.

Then MOVE moves to api directory, if successful, return 204 No Content

Go directly to http://ip:8161/api/1.jsp? cmd=ls

Proof of Shell

Not resolved under 0x path

#Pony

Grab the bag with bp, PUT the pony

If successful, return 204 No Content and view it in your browser.

Then MOVE moves to api directory, if successful, return 204 No Content

Go directly to http://ip:8161/api/1.jsp? cmd=ls

Proof of Shell

How to carry out Apache ActiveMQ remote code execution vulnerability CVE-2016-3088 recurrence is shared here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.