2023-12-23 23:05:23.706 WARN 25724 --- [nio-8080-exec-6] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpMediaTypeNotAcceptableException: Could not parse 'Accept' header [123]: Invalid mime type "123": does not contain '/']
WordPress Security Scanner by the WPScan Team Version 3.8.18 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________
[i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]Y [i] Updating the Database ... [i] Update completed.
[+] URL: http://124.71.184.68:8012/ [124.71.184.68] [+] Started: Sat Dec 23 18:43:01 2023
[+] WordPress theme in use: twentytwentyfour | Location: http://124.71.184.68:8012/wp-content/themes/twentytwentyfour/ | Readme: http://124.71.184.68:8012/wp-content/themes/twentytwentyfour/readme.txt | Style URL: http://124.71.184.68:8012/wp-content/themes/twentytwentyfour/style.css | | Found By: Urls In Homepage (Passive Detection) | | The version could not be determined.
[+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] all-in-one-video-gallery | Location: http://124.71.184.68:8012/wp-content/plugins/all-in-one-video-gallery/ | Last Updated: 2023-09-01T08:47:00.000Z | [!] The version is out of date, the latest version is 3.5.2 | | Found By: Urls In Homepage (Passive Detection) | | [!] 2 vulnerabilities identified: | | [!] Title: All-in-One Video Gallery 2.5.8 - 2.6.0 - Unauthenticated Arbitrary File Download & SSRF | Fixed in: 2.6.1 | References: | - https://wpscan.com/vulnerability/852c257c-929a-4e4e-b85e-064f8dadd994 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2633 | | [!] Title: Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting | Fixed in: 3.4.3 | References: | - https://wpscan.com/vulnerability/7fd1ad0e-9db9-47b7-9966-d3f5a8771571 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33999 | | Version: 2.6.0 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://124.71.184.68:8012/wp-content/plugins/all-in-one-video-gallery/README.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://124.71.184.68:8012/wp-content/plugins/all-in-one-video-gallery/README.txt
[+] contact-form-7 | Location: http://124.71.184.68:8012/wp-content/plugins/contact-form-7/ | Last Updated: 2023-12-19T04:49:00.000Z | [!] The version is out of date, the latest version is 5.8.5 | | Found By: Urls In Homepage (Passive Detection) | | Version: 5.8.4 (100% confidence) | Found By: Query Parameter (Passive Detection) | - http://124.71.184.68:8012/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.8.4 | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - http://124.71.184.68:8012/wp-content/plugins/contact-form-7/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://124.71.184.68:8012/wp-content/plugins/contact-form-7/readme.txt
[+] drag-and-drop-multiple-file-upload-contact-form-7 | Location: http://124.71.184.68:8012/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/ | Last Updated: 2023-12-05T07:37:00.000Z | [!] The version is out of date, the latest version is 1.3.7.4 | | Found By: Urls In Homepage (Passive Detection) | | [!] 4 vulnerabilities identified: | | [!] Title: Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.6.3 - Unauthenticated Stored XSS | Fixed in: 1.3.6.3 | References: | - https://wpscan.com/vulnerability/1b849957-eaca-47ea-8f84-23a3a98cc8de | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0595 | - https://plugins.trac.wordpress.org/changeset/2686614 | | [!] Title: Drag and Drop Multiple File Upload < 1.3.6.5 - File Upload Size Limit Bypass | Fixed in: 1.3.6.5 | References: | - https://wpscan.com/vulnerability/035dffef-4b4b-4afb-9776-7f6c5e56452c | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3282 | | [!] Title: Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.6.6 - File Upload and File deletion via CSRF | Fixed in: 1.3.6.6 | References: | - https://wpscan.com/vulnerability/e6a76476-e086-473d-bc1e-3264c85b2441 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45364 | | [!] Title: Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.7.4 - Unauthenticated Arbitrary File Upload | Fixed in: 1.3.7.4 | References: | - https://wpscan.com/vulnerability/d758ce63-73fb-46a6-9cc7-c114db2e2512 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5822 | - https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3be300-5b7f-4844-8637-1bb8c939ed4c | | Version: 1.3.6.2 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://124.71.184.68:8012/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://124.71.184.68:8012/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/readme.txt
Hint 1: 请关注题目名称 “EvilMQ” 并结合最近的已知公开漏洞 Hint 2: 与 ActiveMQ (CVE-2023-46604) 类似 但是 Client 端 RCE 需要构造 Evil Server
从pom.xml中可以看到环境为tubemq-client 1.9.0
漏洞分析
参考 X1r0z 师傅的 Writeup 简单看看,可以知道是 Client 端的 RCE 看到:org.apache.inlong.tubemq.corerpc.netty.NettyClient.NettyClientHandler#channelRead,即 Invoked when a message object was received from a remote peer
如果 status 不等于RPCProtos.ResponseHeader.Status.SUCCESS,则会调用org.apache.inlong.tubemq.corerpc.utils.MixUtils#unwrapException对异常信息进行处理
// Convert arguments to a contiguous block; it's easier to do // memory management in Java than in C. byte[][] cmdArgs = newbyte[cmds.length - 1][]; intsize= cmdArgs.length;// For added NUL bytes
for (inti=0; i < cmdArgs.length; i++) { cmdArgs[i] = cmds[i + 1].getBytes(); size += cmdArgs[i].length; }
byte[] argBlock = newbyte[size]; inti=0;
for (byte[] arg : cmdArgs) { System.arraycopy(arg, 0, argBlock, i, arg.length); i += arg.length + 1; // No need to write NUL bytes explicitly }