参考:
- ActiveMQ漏洞利用方法总结
- https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2015-5254/README.zh-cn.md
- https://github.com/vulhub/vulhub/blob/master/activemq/CVE-2016-3088/README.zh-cn.md
- https://github.com/Xyntax/POC-T/blob/2.0/script/activemq-weakpass.py
- https://github.com/Xyntax/POC-T/blob/2.0/script/activemq-upload.py
- https://github.com/WyAtu/Perun/tree/master/vuln/activemq
下载:
https://archive.apache.org/dist/activemq/5.11.1/apache-activemq-5.11.1-bin.zip
环境搭建
cd apache-activemq-5.11.1/bin
chmod +x activemq activemq-admin
./activemq start
日志查看:
tail -f data/activemq.log
默认监听端口8161
CVE-2015-5254:反序列化
影响版本:
Apache ActiveMQ 5.x before 5.13.0
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
CVE-2015-1830
影响版本:
Apache ActiveMQ 5.x before 5.11.2 for Windows
Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.
CVE-2016-3088
影响版本:
Apache ActiveMQ 5.x before 5.14.0
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
调试:
找到ACTIVEMQ_DEBUG_OPTS
取消注释。
启动:
.\activemq.bat start
/admin页面默认用户名密码:admin/admin
不过用不到这个web端口。
看61616端口:
访问:
http://192.168.85.129:8161/admin/test/systemProperties.jsp
用1.8失败了,无法编译。换成1.7,可以访问。
这个接口无需认证即可访问。
弱密码Pocsuite:
文件上传Pocsuite: